Trivy Vulnerability Explorer

Large Trivy reports tend to become hard to grasp, that is why this project was created. It is a web application that allows to load a Trivy report in json format and displays the vulnerabilities of a single target in an interactive data table.

Figure 1. Screenshot of the application

Usage

Head over to the application and load a Trivy report .json file. For example, to scan an outdated alpine image, you can run the following command to create an alpine-3.9.2.json report.

trivy i -f json -o alpine-3.9.2.json alpine:3.9.2

Now load this file in the vulnerability explorer and start exploring. You can filter by term or click one of the categories in the filter bar to dig into the data. You can also use the example file in the repo.

The data never leaves your browser, because all processing is handled inside your browser. Of course, you can feel free to fork this project and deploy your own version. If you do so, I would be happy if you leave me a comment and a star on the repository.

Integration with GitLab Job

If you are using a GitLab Job to generate the Trivy report, you can supply a direct URL to the json file. The app will fetch the report and display the results without the hassle to first download the file. You might need to provide a token for authentication, you can do that by clicking the shield symbol next to the URL field. Make sure to create a personal access token with the scope read_api. The token will be persisted in the local storage, so that you can reuse it the next time you want to load a report from the same GitLab instance.

You can pass a query parameter url to the app, and it will load a file from this url on startup. It is a good idea to print the URL of the vulnerability explorer at the end of the job log, so that the user can jump directly to the vulnerability report. If the name of the report is trivy-results.json, the url schema would look like this:

https://dbsystel.github.io/trivy-vulnerability-explorer/#/?url=https://$CI_SERVER_URL/api/v4/projects/$CI_PROJECT_ID/jobs/$CI_JOB_ID/artifacts/trivy-results.json

Caution

There was a recent change in the implementation of the Routing, make sure to include the # within the URL, otherwise this feature will not work.

Note	While the feature was built having GitLab in mind, it should work for every artifact storage, where the json can be downloaded with a GET HTTP request that needs at most a single HTTP header for authentication.

Contribute

See How to contribute

Development

Setup

npm install

Compiles and hot-reloads for development

npm run serve

Run via Docker

$ docker build -t <image_name> .

ex. docker build -t trivy-explorer .

$ docker run -p <local-port>:8080 --name <container-name> <image-name>

ex. docker run -p 5000:8080 --name sec-scan trivy-explorer

License

This project is licensed under Apache-2.0