Run Trivy from docker on Mac

Official documentation: https://aquasecurity.github.io/trivy/v0.38/

On zsh terminal on a mac

Just run the image and pass the trivy commands as documented. To get version:

docker run aquasec/trivy version

Scan code from local file system

docker run -v /host/src/to/scan:/target aquasec/trivy --debug fs /target > trivy-output-report.txt

File trivy-output-report.txt is created in the host folder where running.

Documentation for local file system scan https://aquasecurity.github.io/trivy/v0.20.2/getting-started/cli/fs/

Scan code from repo

As per documentation, only public repositories are supported (https://aquasecurity.github.io/trivy/v0.20.2/vulnerability/scanning/git-repository/):

docker run aquasec/trivy repo REPO_URL

Scan local .NET repo

In .NET, Trivy uses packages.config and *.deps.json. Since we don’t use packages.config (we use ), we need to build the solution to generate the PROJECT.deps.json in the bin folder. (Also, for this reason the remote scan probably would not work for our .NET solutions?)

git clone https://luismesaaily@bitbucket.org/AilyLabs/aily-api.git
dotnet build SRC/SOLUTION.sln
docker run -v /HOST/SRC:/target aquasec/trivy --debug fs /target > trivy-output-report.txt