Master
工具

Trivy

NOT ON THE CURRENT EDITION
This blip is not on the current edition of the Radar. If it was on one of the last few editions it is likely that it is still relevant. If the blip is older it might no longer be relevant and our assessment might be different today. Unfortunately, we simply don't have the bandwidth to continuously review blips from previous editions of the RadarUnderstand more
Published: Nov 20, 2019
Last Updated: Oct 28, 2020
Oct 2020
采纳?

用来创建和部署容器的流水线,应该包含容器安全扫描这个步骤。我们的团队尤其喜欢 Trivy ——一个针对容器的漏洞扫描器。在这个领域的工具中,我们尝试过 ClairAnchore Engine。跟 Clair 不一样,Trivy 不止会检查容器,而且会检查代码库中的依赖。同时,由于它是一个独立的二进制包,所以更容易在本地设置和运行。Trivy 的其他好处还有,它是开源软件,并支持 distroless containers 容器。

Nov 2019
试验?

我们应该在生成和部署容器的构建流水线中引入容器安全扫描。我们团队特别喜欢Trivy——一款用于容器的漏洞扫描器。它提供独立的二进制文件,相比于其他工具更容易安装和配置。而且Trivy是开源软件,并支持Distroless容器