MCPcopy Index your code
hub / github.com/aquasecurity/trivy-db

github.com/aquasecurity/trivy-db @main

Chat with this repo
repository ↗ · DeepWiki ↗ · + Follow
1,121 symbols 3,296 edges 145 files 223 documented · 20% 5 cross-repo links
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

trivy-db

Build DB GitHub Release Downloads [Go Report Card]report-card [Go Doc]go-doc [License]license

Overview

trivy-db is a CLI tool and a library to manipulate Trivy DB.

Library

Trivy uses trivy-db internally to manipulate vulnerability DB. This DB has vulnerability information from NVD, Red Hat, Debian, etc.

CLI

The trivy-db CLI tool builds vulnerability DBs. A GitHub Actions workflow periodically builds a fresh version of the vulnerability DB using trivy-db and uploads it to the GitHub Container Registry (see Download the vulnerability database below).

NAME:
   trivy-db - Trivy DB builder

USAGE:
   main [global options] command [command options] image_name

VERSION:
   0.0.1

COMMANDS:
     build    build a database file
     help, h  Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --help, -h     show help
   --version, -v  print the version

Building the DB

To build trivy-db locally, you can use the following order of commands from the Makefile:

make db-fetch-langs db-fetch-vuln-list  # To download all advisories and other required files (`./cache` dir by default)
make build  # Build `trivy-db` binary
make db-build  # Build database (`./out` dir by default)
make db-compact  # Compact database (`./assets` dir by default)
make db-compress  # Compress database into `db.tar.gz` file

To build trivy-db image and push into registry, you need to use Oras CLI. For example for ghcr:

./oras push --artifact-type application/vnd.aquasec.trivy.config.v1+json \
"ghcr.io/aquasecurity/trivy-db:2" \
db.tar.gz:application/vnd.aquasec.trivy.db.layer.v1.tar+gzip

Update interval

Trivy DB is built every 6 hours. By default, the update interval specified in the metadata file is 24 hours. If you need to update Trivy DB more frequently, you can upload a new Trivy DB manually.

Download the vulnerability database

version 1 (deprecated)

Trivy DB v1 reached the end of support on February 2023. Please upgrade Trivy to v0.23.0 or later.

Read more about the Trivy DB v1 deprecation in the discussion.

version 2

Trivy DB v2 is hosted on GHCR. Although GitHub displays the docker pull command by default, please note that it cannot be downloaded using docker pull as it is not a container image.

You can download the actual compiled database via Trivy or Oras CLI.

Trivy:

TRIVY_TEMP_DIR=$(mktemp -d)
trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only
tar -cf ./db.tar.gz -C $TRIVY_TEMP_DIR/db metadata.json trivy.db
rm -rf $TRIVY_TEMP_DIR

oras >= v0.13.0:

$ oras pull ghcr.io/aquasecurity/trivy-db:2

oras < v0.13.0:

$ oras pull -a ghcr.io/aquasecurity/trivy-db:2

The database can be used for Air-Gapped Environment.

Extension points exported contracts — how you extend this code

Updater (Interface)
(no doc) [33 implementers]
pkg/vulnsrctest/vulnsrctest.go
Getter (Interface)
(no doc) [21 implementers]
pkg/db/db.go
VulnSrc (Interface)
(no doc) [32 implementers]
pkg/vulnsrc/vulnsrc.go
VulnDB (Interface)
(no doc) [1 implementers]
pkg/vulndb/db.go
Operation (Interface)
(no doc) [2 implementers]
pkg/db/db.go
DB (Interface)
(no doc) [7 implementers]
pkg/vulnsrc/suse-cvrf/suse-cvrf.go
Option (FuncType)
(no doc)
pkg/vulndb/db.go
CustomPut (FuncType)
(no doc)
pkg/db/db.go

Core symbols most depended-on inside this repo

MustTimeParse
called by 68
pkg/utils/time.go
String
called by 62
pkg/vulnsrc/osv/range.go
Name
called by 56
pkg/vulnsrc/bucket/bucket.go
Get
called by 44
pkg/db/db.go
Contains
called by 41
pkg/vulnsrc/osv/range.go
BatchUpdate
called by 26
pkg/db/db.go
PutVulnerabilityID
called by 26
pkg/db/db.go
PutAdvisoryDetail
called by 25
pkg/db/db.go

Shape

Method 412
Struct 345
Function 315
TypeAlias 26
Interface 16
FuncType 7

Languages

Go100%

Modules by API surface

pkg/db/mock_operation.go113 symbols
pkg/vulnsrc/bucket/bucket.go74 symbols
pkg/db/db.go38 symbols
pkg/vulnsrc/redhat-oval/types.go34 symbols
pkg/vulnsrc/redhat-csaf/parse.go25 symbols
pkg/vulnsrc/osv/osv.go25 symbols
pkg/vulnsrc/oracle-oval/oracle-oval.go24 symbols
pkg/vulnsrc/debian/debian.go23 symbols
pkg/vulnsrc/osv/range.go22 symbols
pkg/types/types.go20 symbols
pkg/vulnsrc/vulnerability/vulnerability.go19 symbols
pkg/vulnsrc/suse-cvrf/suse-cvrf.go19 symbols

For agents

$ claude mcp add trivy-db \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact