trivy

# Trivy Vulnerability Scanner

## Core Commands

### Node.js / Filesystem Scanning

```bash
# Scan current directory for vulnerabilities (package.json/package-lock.json)
trivy fs --scanners vuln .

# Include dev dependencies (devDependencies in package.json)
trivy fs --scanners vuln --include-dev-deps .

# Scan specific package-lock.json file
trivy fs --scanners vuln package-lock.json

# JSON output for CI/CD pipelines
trivy fs --scanners vuln --format json -o results.json .

# Fail on HIGH/CRITICAL only
trivy fs --scanners vuln --severity HIGH,CRITICAL .

# Scan a repository (GitHub URL)
trivy repo --scanners vuln https://github.com/org/repo
```

**Supported Node.js files:**
- `package.json` + `package-lock.json` (npm)
- `yarn.lock` (Yarn)
- `pnpm-lock.yaml` (pnpm)

### Basic Image Scanning

```bash
# Scan with severity filter (recommended)
trivy image --severity HIGH,CRITICAL <image:tag>

# All severities
trivy image <image:tag>

# JSON output for automation
trivy image --format json --output results.json <image:tag>
```

### Common Patterns

```bash
# Compare two versions
trivy image --severity HIGH,CRITICAL image:18.3.2 > v1.txt
trivy image --severity HIGH,CRITICAL image:18.4.0 > v2.txt
diff v1.txt v2.txt

# Batch scan multiple images (use provided script)
scripts/batch_scan.sh alpine:latest nginx:latest postgres:16

# Compare versions (use provided script)
scripts/compare_versions.sh public.ecr.aws/org/image 18.3.2 18.4.0 18.5.0
```

## Output Formats

```bash
# Table (default, human-readable)
trivy image --format table <image:tag>

# JSON (machine-readable)
trivy image --format json <image:tag>

# SARIF (GitHub/GitLab integration)
trivy image --format sarif <image:tag>
```

## Scanner Types

Use `--scanners` to control what Trivy scans:

```bash
# Vulnerability only (faster, recommended)
trivy image --scanners vuln <image:tag>

# Vulnerabilities + secrets
trivy image --scanners vuln,secret <image:tag>

# All scanners (vuln, secret, misconfig, license)
trivy im