Web application that allows to load a Trivy report in json format and displays the vulnerabilities of a single target in an interactive data table.
:imagesdir: doc/img
= Trivy Vulnerability Explorer
Large https://github.com/aquasecurity/trivy/issues[Trivy] reports tend to become hard to grasp, that is why this project was created. It is a web application that allows to load a https://github.com/aquasecurity/trivy/issues[Trivy] report in json format and displays the vulnerabilities of a single target in an interactive data table.
.Load a Trivy report
image::overview-0.png[Step 1: Load a Trivy report]
.Explore the vulnerabilities
image::overview-1.png[Step 2: Explore the vulnerabilities]
== Usage
Head over to the https://dbsystel.github.io/trivy-vulnerability-explorer[application^] and load a Trivy report .json file. For example, to scan an outdated alpine image, you can run the following command to create an alpine-3.9.2.json
report.
Now load this file in the vulnerability explorer and start exploring. You can filter by term or click one of the categories in the filter bar to dig into the data. You can also use the link:src/assets/alpine-3.9.2.json[example file] in the repo.
The data never leaves your browser, because all processing is handled inside your browser. Of course, you can feel free to fork this project and deploy your own version. If you do so, I would be happy if you leave me a comment and a star on the repository.
=== Integration with GitLab Job
If you are using a GitLab Job to generate the Trivy report, you can supply a direct URL to the json file. The app will fetch the report and display the results without the hassle to first download the file. You might need to provide a token for authentication, you can do that by clicking the shield symbol next to the URL field. Make sure to create a personal access token with the scope read_api
. The token will be persisted in the local storage, so that you can reuse it the next time you want to load a report from the same GitLab instance.
You can pass a query parameter url
to the app, and it will load a file from this url on startup. It is a good idea to print the URL of the vulnerability explorer at the end of the job log, so that the user can jump directly to the vulnerability report. If the name of the report is trivy-results.json
, the url schema would look like this:
CAUTION: There was a recent change in the implementation of the Routing, make sure to include the #
within the URL, otherwise this feature will not work.
NOTE: While the feature was built having GitLab in mind, it should work for every artifact storage, where the json can be downloaded with a GET HTTP request that needs at most a single HTTP header for authentication.
== Run with docker image
This project provides Docker images hosted on GitHub Container Registry (GHCR). The images are automatically built and published through GitHub Actions. It comes with a nginx that will serve the application at port 8080.
=== Available Tags
The Docker images are tagged using several strategies to provide flexibility in choosing the right version:
[cols=“1,2”]
|===
|Tag Pattern |Description
|latest
|Points to the most recent build from the main branch
|v{major}.{minor}.{patch}
|Specific version (e.g., v1.2.3
)
|v{major}.{minor}
|Latest patch version for a minor version (e.g., v1.2
)
|v{major}
|Latest minor version for a major version (e.g., v1
)
|sha-{commit}
|Specific commit hash for precise version control
|===
=== Using the Docker Image
Replace:
<tag>
with one of the available tagsExample for running the latest version:
== Contribute
See link:CONTRIBUTING.adoc[How to contribute]
== License
This project is licensed under link:LICENSE[Apache-2.0]