lazytrivy is a wrapper for Trivy that allows you to run Trivy without remembering the command arguments.
The idea was very heavily inspired by the superb tools from Jesse Duffield ( lazydocker, lazynpm, lazygit)
- Image Scanning
- File System Scanning
lazytrivy will run Trivy in a docker container and display the results in a terminal UI, the intention is that this will make it more stable across all platforms.
When running a Filesystem scan, lazytrivy will mount the target dir in the container and run Trivy against it.
Trivy intermittently downloads the latest DB - while lazytrivy maintains a cache, if you experience a delay in the scanning of an image or filesystem, it is likely trivy is running a download.
If you're interested in seeing what's happening behind the scenes in Docker, I'd thoroughly recommend using LazyDocker.
In order for lazytrivy to be cross-platform, it uses the Trivy docker image. This means that you will need to have Docker running on your machine for lazytrivy to work.
The quickest way to install if you have Go
installed is to get the latest with go install
go install github.com/owenrumney/lazytrivy@latest
Alternatively, you can get the latest releases from GitHub
A config file can be added to ~/.config/lazytrivy/config.yml
to set default options.
vulnerability:
ignoreunfixed: false
filesystem:
scansecrets: true
scanmisconfiguration: true
scanvulnerabilities: true
cachedirectory: ~/.cache
debug: true
trace: false
Settings can be adjusted via the UI by pressing the ,
key at any time.
By setting debug
to true, additional logs will be generated in /tmp/lazytrivy.log
lazytrivy
is super easy to use, just run it with the following command:
lazytrivy --help
Usage:
lazytrivy [command]
Available Commands:
filesystem Launch lazytrivy in filesystem scanning mode
help Help about any command
image Launch lazytrivy in image scanning mode
Flags:
--debug Launch with debug logging
--docker-host string Docker host to connect to (default "unix:///var/run/docker.sock")
-h, --help help for lazytrivy
--trace Launch with trace logging
Use "lazytrivy [command] --help" for more information about a command.
Logs are generated in $HOME/.lazytrivy/logs/lazytrivy.log
with the default level at info
. You can change the log level by setting the --debug
flag.
To get even more information (more than you need), you can set the --trace
flag. This will generate a lot of logs, so be careful and most of it is for tracking the position of the cursor, Docker events etc.
By default, lazytrivy will connect to the docker daemon on the local machine by looking at the current context.
The default docker host is unix:///var/run/docker.sock
. If you are running Docker on a remote host, you can set the docker host with the --docker-host
flag.
### Starting in a specific mode
You can start `lazytrivy` in a specific mode using `images` or `filesystem`:
For example, to scan a specific filesystem folder, you could run:
```bash
lazytrivy fs --path /home/owen/code/github/owenrumney/example
This will start in filesystem mode pointing to the specified path. If no path is provided it will point to the current working directory.
lazytrivy will work with podman in non-root mode, you do however need to be careful to either start podman in a different terminal to lazytrivy or pipe the podman output to /dev/null
.
For example, you can start podman with
podman system service -t 3600 unix:///tmp/podman-run-1000/podman/podman.sock 2>/dev/null &
then start lazytrivy with
lazytrivy --docker-host unix:///tmp/podman-run-1000/podman/podman.sock image
Pressing a
will scan all the images that are shown in the left hand pane. On completion, you will be shown a
summary of any vulnerabilities found.
You can then scan individual images to get more details
Select an image from the left hand pane and press s
to scan it. Use the left and right arrow keys to switch between
views and up down arrow keys to select an image.
Press s
to scan the currently selected image.
To scan an image that is not already locally on the machine, you can use the r
key to scan a remote image.
To scan a filessystem, you can use the w
key to switch to Filesystem mode, from there you will get all the vulnerabilities, misconfigurations and secrets from the current working directory