Repository files navigation

lazytrivy is a wrapper forTrivy that allows you to run Trivy withoutremembering the command arguments.

The idea was very heavily inspired by the superb tools fromJesse Duffield (lazydocker, lazynpm, lazygit)

• Image Scanning
  • Scan all images on your system
  • Scan a single image
  • Scan a remote image
• File System Scanning
  • Scan a filesystem for vulnerabilities and misconfigurations

lazytrivy will run Trivy in a docker container and display the results in a terminal UI, the intention is that this will make it more stable across all platforms.

When running a Filesystem scan, lazytrivy will mount the target dir in the container and run Trivy against it.

Trivy intermittently downloads the latest DB - while lazytrivy maintains a cache, if you experience a delay in the scanning of an image or filesystem, it is likely trivy is running a download.

If you're interested in seeing what's happening behind the scenes in Docker, I'd thoroughly recommend usingLazyDocker.

In order for lazytrivy to be cross-platform, it uses the Trivy docker image. This means that you will need to have Docker running on your machine for lazytrivy to work.

The quickest way to install if you haveGo installed is to get the latest withgo install

go install github.com/owenrumney/lazytrivy@latest

Alternatively, you can get the latest releases fromGitHub

A config file can be added to~/.config/lazytrivy/config.yml to set default options.

vulnerability:ignoreunfixed:falsefilesystem:scansecrets:truescanmisconfiguration:truescanvulnerabilities:truecachedirectory:~/.cachedebug:truetrace:false

Settings can be adjusted via the UI by pressing the, key at any time.

By settingdebug to true, additional logs will be generated in/tmp/lazytrivy.log

lazytrivy is super easy to use, just run it with the following command:

lazytrivy --help           Usage:  lazytrivy [command]Available Commands:  filesystem  Launch lazytrivyin filesystem scanning modehelp        Help about anycommand  image       Launch lazytrivyin image scanning modeFlags:      --debug                Launch with debug logging      --docker-host string   Docker host to connect to (default"unix:///var/run/docker.sock")  -h, --helphelpfor lazytrivy      --trace                Launch with trace loggingUse"lazytrivy [command] --help"for more information about a command.

Logs are generated in$HOME/.lazytrivy/logs/lazytrivy.log with the default level atinfo. You can change the log level by setting the--debug flag.

To get even more information (more than you need), you can set the--trace flag. This will generate a lot of logs, so be careful and most of it is for tracking the position of the cursor, Docker events etc.

By default, lazytrivy will connect to the docker daemon on the local machine by looking at the current context.

The default docker host isunix:///var/run/docker.sock. If you are running Docker on a remote host, you can set the docker host with the--docker-host flag.

### Starting in a specific modeYou can start`lazytrivy`in a specific mode using`images` or`filesystem`:For example, to scan a specific filesystem folder, you could run:```bashlazytrivy fs --path /home/owen/code/github/owenrumney/example

This will start in filesystem mode pointing to the specified path. If no path is provided it will point to the current working directory.

lazytrivy will work with podman in non-root mode, you do however need to be careful to either start podman in a different terminal to lazytrivy or pipe the podman output to/dev/null.

For example, you can start podman with

podman system service -t 3600 unix:///tmp/podman-run-1000/podman/podman.sock2>/dev/null&

then start lazytrivy with

lazytrivy --docker-host unix:///tmp/podman-run-1000/podman/podman.sock image

Pressinga will scan all the images that are shown in the left hand pane. On completion, you will be shown asummary of any vulnerabilities found.

You can then scan individual images to get more details

Select an image from the left hand pane and presss to scan it. Use the left and right arrow keys to switch betweenviews and up down arrow keys to select an image.

Presss to scan the currently selected image.

To scan an image that is not already locally on the machine, you can use ther key to scan a remote image.

To scan a filessystem, you can use thew key to switch to Filesystem mode, from there you will get all the vulnerabilities, misconfigurations and secrets from the current working directory