Scan generated trivy report with trivy

[tspearconquest]

Hi!

I have an idea that would make trivy scans faster in my pipelines.

Use case

I'm not sure if this is a common use case, so I appreciate feedback from other users here.

Currently when we run our pipelines, we use the trivy docker image, and we run trivy in the image with the following flags to generate a report of all vulnerabilities in the image without causing the job to fail:

--exit-code 0 --format json --output /tmp/reports/trivy-report.json --input /tmp/artifact.tar

Next, in the same job, we run trivy again with the following flags to break the pipeline on any unfixed HIGH and CRITICAL severity vulnerabilities:

--exit-code 1 --severity HIGH,CRITICAL --ignore-unfixed --input /tmp/artifact.tar

With some of our artifacts, the file size is pretty large, so the scan takes a while even just running it once, and so the second run doubles the runtime. So if a scan of one of these large images would normally take 4 minutes, it's taking 8 because of the second run.

This is a waste of pipeline minutes but a necessary use case for us because we have to report on all vulnerabilities to management, but we are okay to ignore the MEDIUM severity and lower vulnerabilities at this time.

Idea

After generating the report, scanning the complete artifact again has no point. We already know about all of the vulnerabilities, and simply want to break the pipeline for unfixed HIGH and CRITICAL.

So it would be really great if we can have a new command to trivy which simply reads its own reports for the vulnerability details and then can take --exit-code 1 --severity HIGH,CRITICAL --ignore-unfixed and do exactly what those flags do when scanning a real target.

I was thinking about how much time this will save in pipeline minutes (not to mention engineers sitting around waiting for the scan job to finish). It could be a lot per month given a high volume of commits which trigger a scan.

It can be similar to the trivy sbom command. I'm not sure what the right name would be to give this new command, so I leave that to you to decide, if this is accepted.

Thanks in advance!

[tspearconquest]

It can also be useful when scanning a kubernetes cluster.

Say I have dozens to hundreds of images running and I scan a whole cluster.

It could take a really long time. So in that case, having the scan run automatically to generate a report of every image would make sense, and then the report might be emailed to my manager or something.

Well he doesn't want to have to scan through thousands of medium and lower severity vulnerabilties to find all of the high severity ones in my report.

So this can save time for people reading through reports and allow filtering the report for specific content.

So this might also be a good use case for the feature.

[tspearconquest]

BTW this is a dedicated issue for the comments I had put in #720. I had been unable to locate my comments last week, however someone commented over there this morning which allowed me to find it again.

In that thread, they also mentioned that the double scanning invalidates earlier results, which would be another use case for this feature, and one that makes this highly desirable.

[itaysk]

sounds like what you want is to generate SBOM with Trivy, and then scan that SBOM multiple times. WDYT?

[Speeddymon]

Very close, it would be useful to simply be able to scan an sbom for vulnerabilities.

[itaysk]

you can do this today with the trivy sbom command.
examples and use cases: https://youtu.be/i_9bV08CTao