trivy vulnerability explorer

Web application that allows to load a Trivy report in json format and displays the vulnerabilities of a single target in an interactive data table.

116
39
Vue

:imagesdir: doc/img

= Trivy Vulnerability Explorer

Large https://github.com/aquasecurity/trivy/issues[Trivy] reports tend to become hard to grasp, that is why this project was created. It is a web application that allows to load a https://github.com/aquasecurity/trivy/issues[Trivy] report in json format and displays the vulnerabilities of a single target in an interactive data table.

.Screenshot of the application
image::overview.png[Overview of the application]

== Usage

Head over to the https://dbsystel.github.io/trivy-vulnerability-explorer[application^] and load a Trivy report .json file. For example, to scan an outdated alpine image, you can run the following command to create an alpine-3.9.2.json report.


trivy i -f json -o alpine-3.9.2.json alpine:3.9.2

Now load this file in the vulnerability explorer and start exploring. You can filter by term or click one of the categories in the filter bar to dig into the data. You can also use the link:src/assets/alpine-3.9.2.json[example file] in the repo.

The data never leaves your browser, because all processing is handled inside your browser. Of course, you can feel free to fork this project and deploy your own version. If you do so, I would be happy if you leave me a comment and a star on the repository.

=== Integration with GitLab Job

If you are using a GitLab Job to generate the Trivy report, you can supply a direct URL to the json file. The app will fetch the report and display the results without the hassle to first download the file. You might need to provide a token for authentication, you can do that by clicking the shield symbol next to the URL field. Make sure to create a personal access token with the scope read_api. The token will be persisted in the local storage, so that you can reuse it the next time you want to load a report from the same GitLab instance.

You can pass a query parameter url to the app, and it will load a file from this url on startup. It is a good idea to print the URL of the vulnerability explorer at the end of the job log, so that the user can jump directly to the vulnerability report. If the name of the report is trivy-results.json, the url schema would look like this:


https://dbsystel.github.io/trivy-vulnerability-explorer/#/?url=https://$CI_SERVER_URL/api/v4/projects/$CI_PROJECT_ID/jobs/$CI_JOB_ID/artifacts/trivy-results.json

CAUTION: There was a recent change in the implementation of the Routing, make sure to include the # within the URL, otherwise this feature will not work.

NOTE: While the feature was built having GitLab in mind, it should work for every artifact storage, where the json can be downloaded with a GET HTTP request that needs at most a single HTTP header for authentication.

== Contribute

See link:CONTRIBUTING.adoc[How to contribute]

== Development
.Setup

npm install

.Compiles and hot-reloads for development

npm run serve

.Run via Docker

$ docker build -t <image_name> .

ex. docker build -t trivy-explorer .

$ docker run -p :8080 --name

ex. docker run -p 5000:8080 --name sec-scan trivy-explorer

== License
This project is licensed under link:LICENSE[Apache-2.0]