Table: trivy_scan_vulnerability - Query Trivy Vulnerabilities using SQL
Trivy is an open-source, simple, and comprehensive vulnerability scanner for containers and other artifacts. It is designed to scan for vulnerabilities in OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.). Trivy is easy to use, just install the binary and you're ready to scan.
Table Usage Guide
The trivy_scan_vulnerability table provides insights into vulnerabilities within Trivy. As a security analyst, explore vulnerability-specific details through this table, including the severity, package name, installed version, and fixed version. Utilize it to uncover information about vulnerabilities, such as those that are critical and need immediate attention, and to verify the versions of the packages installed.
Important Notes
- To list all vulnerability definitions use the
trivy_vulnerabilitytable instead.
Examples
Scan all targets defined in trivy.spc for vulnerabilities
Explore potential vulnerabilities in defined targets by identifying the artifact type, name, and installed version. This can aid in assessing the security risks and taking appropriate mitigation measures.
select artifact_type, artifact_name, target, vulnerability_id, installed_versionfrom trivy_scan_vulnerability;select artifact_type, artifact_name, target, vulnerability_id, installed_versionfrom trivy_scan_vulnerability;Scan a specific directory for vulnerabilities
Determine the areas in which vulnerabilities exist within a specific directory. This aids in identifying potential security risks and ensuring the safety of your system.
select target, vulnerability_id, installed_versionfrom trivy_scan_vulnerabilitywhere artifact_type = 'filesystem' and artifact_name = '/Users/jane/src/steampipe';select target, vulnerability_id, installed_versionfrom trivy_scan_vulnerabilitywhere artifact_type = 'filesystem' and artifact_name = '/Users/jane/src/steampipe';Scan a specific container image for vulnerabilities
Explore which specific container images may have vulnerabilities by pinpointing the ones with installed versions that have known issues. This helps in maintaining a secure environment by identifying and addressing potential threats.
select target, vulnerability_id, installed_versionfrom trivy_scan_vulnerabilitywhere artifact_type = 'container_image' and artifact_name = 'turbot/steampipe';select target, vulnerability_id, installed_versionfrom trivy_scan_vulnerabilitywhere artifact_type = 'container_image' and artifact_name = 'turbot/steampipe';Count of vulnerabilities by artifact
Analyze the distribution of vulnerabilities across different artifacts to understand which ones may pose a higher risk due to a larger number of vulnerabilities. This can help prioritize remediation efforts and improve overall system security.
select artifact_type, artifact_name, count(*)from trivy_scan_vulnerabilitygroup by artifact_type, artifact_nameorder by count desc;select artifact_type, artifact_name, count(*)from trivy_scan_vulnerabilitygroup by artifact_type, artifact_nameorder by count(*) desc;All vulnerabilities for the libc6 package
Explore all potential security risks associated with the 'libc6' package. This allows you to understand the vulnerabilities linked to this package and prioritize updates or patches accordingly.
select artifact_type, artifact_name, target, vulnerability_id, installed_versionfrom trivy_scan_vulnerabilitywhere package_name = 'libc6'order by artifact_type, artifact_name, target, vulnerability_id;select artifact_type, artifact_name, target, vulnerability_id, installed_versionfrom trivy_scan_vulnerabilitywhere package_name = 'libc6'order by artifact_type, artifact_name, target, vulnerability_id;Vulnerabilities by package
Analyze the vulnerabilities associated with each package in your system, helping you understand the risk profile of your software stack. This could be useful in prioritizing updates and patches, and managing overall system security.
select class, type, package_name, count(*), array_agg(vulnerability_id)from trivy_scan_vulnerabilitygroup by class, type, package_nameorder by count desc;select class, type, package_name, count(*), group_concat(vulnerability_id)from trivy_scan_vulnerabilitygroup by class, type, package_nameorder by count(*) desc;Schema for trivy_scan_vulnerability
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
| artifact_name | text | = | Name of the artifact containing the vulnerability. |
| artifact_type | text | = | Type of artifact containing the vulnerability, e.g. container_image. |
| class | text | Class of the package, e.g. lang-pkgs, os-pkgs. | |
| cvss | jsonb | Common Vulnerability Scoring System details for the vulnerability. | |
| cwe_ids | jsonb | Array of Common Weakness Enumeration IDs associated with this vulnerability, e.g. [CWE-252, CWE-384]. | |
| data_source | jsonb | Data source for the vulnerability definition. | |
| description | text | Description of the vulnerability. | |
| fixed_version | text | Version when the vulnerability is fixed. | |
| installed_version | text | Version of the package found in the artifact. | |
| last_modified_date | timestamp with time zone | Date when the vulnerability was last modified. | |
| layer | jsonb | Definition of the layer. | |
| package_id | text | Unique ID of the package, e.g. node-fetch@2.6.1. | |
| package_name | text | Name of the package that has the vulnerability. | |
| package_path | text | Path for the package. | |
| primary_url | text | Primary URL for the vulnerability definition. | |
| published_date | timestamp with time zone | Date when the vulnerability was published. | |
| references | jsonb | Reference URLs for the vulnerability. | |
| severity | text | Severity of the vulnerability, e.g. LOW, MEDIUM, HIGH, CRITICAL. | |
| severity_source | text | Source of the severity definition. | |
| target | text | Target within the artifact, e.g. library file or container image. | |
| title | text | Title of the vulnerability. | |
| type | text | Type of the package, e.g. debian, ubuntu, yarn, npm, gomod. | |
| vendor_ids | jsonb | Vendor IDs for this vulnerability. | |
| vendor_severity | jsonb | Severity of the vulnerability as assigned by the vendor. | |
| vulnerability_id | text | ID of the vulnerability. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- trivyYou can pass the configuration to the command with the --config argument:
steampipe_export_trivy --config '<your_config>' trivy_scan_vulnerability