SaaSHub helps you find the best software and product alternatives Learn more →
Trivy Alternatives
Similar projects and alternatives to trivy
-
-
syft
CLI tool and library for generating a Software Bill of Materials from container images and filesystems
-
SonarLint
Clean code begins in your IDE with SonarLint. Up your coding game and discover issues early. SonarLint is a free plugin that helps you find & fix bugs and security issues from the moment you start writing code. Install from your favorite IDE marketplace today.
-
checkov
Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
-
-
snyk
Snyk CLI scans and monitors your projects for security vulnerabilities. [Moved to: https://github.com/snyk/cli]
-
-
-
InfluxDB
Build time-series-based applications quickly and at scale.. InfluxDB is the Time Series Platform where developers build real-time applications for analytics, IoT and cloud-native services. Easy to start, it is available in the cloud or on-premises.
-
kube-bench
Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark
-
dockle
Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start
-
Grafana
The open and composable observability and data visualization platform. Visualize metrics, logs, and traces from multiple sources like Prometheus, Loki, Elasticsearch, InfluxDB, Postgres and many more.
-
-
kubeval
Validate your Kubernetes configuration files, supports multiple Kubernetes versions
-
-
validkube
ValidKube combines the best open-source tools to help ensure Kubernetes YAML best practices, hygiene & security.
-
-
-
-
-
-
dockerfile
Dockerfile best-practices for writing production-worthy Docker images.
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
trivy reviews and mentions
-
software inventory of my ECS tasks
I actually want to build the same thing you are after, and I think I’ll go for the setup you describe in idea 2. The tool you can use for this is Trivy (https://trivy.dev), have it generate a SBOM and send it to Dependencytrack (https://dependencytrack.org).
-
Do you use dependency analysis and vulnerability detection tools?
Trivy scan - I have a bit mixed feelings with that. It scans more stuff than OWASP DependencyCheck: Docker images, filesystem, VM, Kubernetes, etc. So in a way it is also very good. But then again, some of the vulnerabilities it finds is very difficult to fix. If not possible. Let's say it finds a vulnerability inside Gradle itself or inside Maven itself. These are tools that regular developers are not maintaining. Only the developers who actually develop Gradle/Maven itself and improve it, they can fix it. Or some pull requests on their projects. But you'll never know when your pull request gets accepted. Also as it finds vulnerabilities from unorthodox places like filesystem, Docker images, VM image, then it can be difficult for a common software developer to fix it. Sure, there are fixes and workarounds but these are not straightforward.
-
Free tool for generating SBOM and CVEs against source or binaries
I've done some work in this space but not specifically on source code. A tool you could try out is Trivy from AquaSecurity. The filesystem scan option might work and can output SBOMs (here's the doc page). Using Trivy for docker images has worked quite well for me thus far so hopefully you have some luck using their filesystem or git repository options!
-
Vulnerability scanner written in Go that uses osv.dev data
I like trivy[1] a lot. Nice to see more alternatives like this.
-
Securing the software supply chain in the cloud
Trivy - Scan for open-source, code, container, and Infrastructure-as-Code vulnerabilities
-
'cargo auditable' can now be used as a drop-in replacement for Cargo
The data format is supported by cargo audit, Syft and Trivy. Reading it from your own tools is also very easy.
-
Improving your CI/CD Pipeline: Helm Charts Security Scanning with Trivy and GitHub Actions
In this article, I will demo how we can perform automated vulnerability scans for Helm Charts using GitHub Actions and Trivy.
- Is OPA Gatekeeper the best solution for writing policies for k8s clusters?
-
Is this Dockerfile ready for production? Is the container automatically secure?
You could also do CVE scanning of your container in your pipeline before you push to a registry. try Trivy https://github.com/aquasecurity/trivy or grype https://github.com/anchore/grype
-
Implement DevSecOps to Secure your CI/CD pipeline
Open source: Trivy, Gryp and Clair are widely used open source tools for container scanning.
-
A note from our sponsor - #<SponsorshipServiceOld:0x00007fea59229638>
www.saashub.com | 30 Jan 2023
Stats
aquasecurity/trivy is an open source project licensed under Apache License 2.0 which is an OSI approved license.