<trivy_check.bat>
rem ---- filesystemを対象
trivy fs .
rem ---- rootfs
trivy rootfs .
rem ---- configを対象、レベルを設定、ログに出力(JSON)
trivy config ./targets -s HIGH,CRITICAL
rem trivy config ./targets -s HIGH,CRITICAL -o check_result.json --format json
<バッチを実行>
PS C:\...\trivy-test>.\trivy_check.bat
2025-10-02T00:22:14+09:00 INFO [misconfig] Misconfiguration scanning is enabled
2025-10-02T00:22:15+09:00 INFO Detected config files num=2
Report Summary
┌─────────────────┬────────────┬───────────────────┐
│ Target │ Type │ Misconfigurations │
├─────────────────┼────────────┼───────────────────┤
│ Dockerfile │ dockerfile │ 1 │
├─────────────────┼────────────┼───────────────────┤
│ deployment.yaml │ kubernetes │ 3 │
└─────────────────┴────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
Dockerfile (dockerfile)
=======================
Tests: 20 (SUCCESSES: 19, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)
AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────
:
:
> trivy config ./targets/Dockerfile
2025-10-03T15:11:18+09:00 INFO [misconfig] Misconfiguration scanning is enabled
2025-10-03T15:11:19+09:00 INFO Detected config files num=1
Report Summary
┌────────────┬────────────┬───────────────────┐
│ Target │ Type │ Misconfigurations │
├────────────┼────────────┼───────────────────┤
│ Dockerfile │ dockerfile │ 4 │
└────────────┴────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
Dockerfile (dockerfile)
=======================
Tests: 27 (SUCCESSES: 23, FAILURES: 4)
Failures: 4 (UNKNOWN: 0, LOW: 2, MEDIUM: 1, HIGH: 1, CRITICAL: 0)
AVD-DS-0001 (MEDIUM): Specify a tag in the 'FROM' statement for image 'alpine'
════════════════════════════════════════
When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.
See https://avd.aquasec.com/misconfig/ds001
────────────────────────────────────────
Dockerfile:2
────────────────────────────────────────
2 [ FROM alpine:latest
────────────────────────────────────────
AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────
AVD-DS-0005 (LOW): Consider using 'COPY default.conf /etc/nginx/http.d/default.conf' command instead of 'ADD default.conf /etc/nginx/http.d/default.conf'
════════════════════════════════════════
You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.
See https://avd.aquasec.com/misconfig/ds005
────────────────────────────────────────
Dockerfile:8
────────────────────────────────────────
8 [ ADD default.conf /etc/nginx/http.d/default.conf
────────────────────────────────────────
AVD-DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.
See https://avd.aquasec.com/misconfig/ds026
────────────────────────────────────────
> trivy config .\targets\deployment.yaml
2025-10-03T15:12:42+09:00 INFO [misconfig] Misconfiguration scanning is enabled
2025-10-03T15:12:43+09:00 INFO Detected config files num=1
Report Summary
┌─────────────────┬────────────┬───────────────────┐
│ Target │ Type │ Misconfigurations │
├─────────────────┼────────────┼───────────────────┤
│ deployment.yaml │ kubernetes │ 18 │
└─────────────────┴────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
deployment.yaml (kubernetes)
============================
Tests: 96 (SUCCESSES: 78, FAILURES: 18)
Failures: 18 (UNKNOWN: 0, LOW: 11, MEDIUM: 4, HIGH: 3, CRITICAL: 0)
AVD-KSV-0001 (MEDIUM): Container 'nginx-alpine' of Deployment 'nginx-alpine' should set 'securityContext.allowPrivilegeEscalation' to false
════════════════════════════════════════
A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.
See https://avd.aquasec.com/misconfig/ksv001
────────────────────────────────────────
deployment.yaml:16-19
────────────────────────────────────────
16 ┌ - name: nginx-alpine
17 │ image: nginx:alpine
18 │ ports:
19 └ - containerPort: 80
────────────────────────────────────────
AVD-KSV-0003 (LOW): Container 'nginx-alpine' of Deployment 'nginx-alpine' should add 'ALL' to 'securityContext.capabilities.drop'
════════════════════════════════════════
The container should drop all default capabilities and add only those that are needed for its execution.
See https://avd.aquasec.com/misconfig/ksv003
────────────────────────────────────────
deployment.yaml:16-19
────────────────────────────────────────
16 ┌ - name: nginx-alpine
17 │ image: nginx:alpine
18 │ ports:
19 └ - containerPort: 80
────────────────────────────────────────
AVD-KSV-0004 (LOW): Container 'nginx-alpine' of 'deployment' 'nginx-alpine' in 'default' namespace should set securityContext.capabilities.drop
════════════════════════════════════════
Security best practices require containers to run with minimal required capabilities.
See https://avd.aquasec.com/misconfig/ksv004
────────────────────────────────────────
deployment.yaml:16-19
────────────────────────────────────────
16 ┌ - name: nginx-alpine
17 │ image: nginx:alpine
18 │ ports:
19 └ - containerPort: 80
────────────────────────────────────────
AVD-KSV-0011 (LOW): Container 'nginx-alpine' of Deployment 'nginx-alpine' should set 'resources.limits.cpu'
════════════════════════════════════════
Enforcing CPU limits prevents DoS via resource exhaustion.
See https://avd.aquasec.com/misconfig/ksv011
────────────────────────────────────────
deployment.yaml:16-19
────────────────────────────────────────
16 ┌ - name: nginx-alpine
17 │ image: nginx:alpine
18 │ ports:
19 └ - containerPort: 80
────────────────────────────────────────
AVD-KSV-0012 (MEDIUM): Container 'nginx-alpine' of Deployment 'nginx-alpine' should set 'securityContext.runAsNonRoot' to true
════════════════════════════════════════
Force the running image to run as a non-root user to ensure least privileges.
See https://avd.aquasec.com/misconfig/ksv012
────────────────────────────────────────
deployment.yaml:16-19
────────────────────────────────────────
16 ┌ - name: nginx-alpine
17 │ image: nginx:alpine
18 │ ports:
19 └ - containerPort: 80
────────────────────────────────────────
AVD-KSV-0014 (HIGH): Container 'nginx-alpine' of Deployment 'nginx-alpine' should set 'securityContext.readOnlyRootFilesystem' to true
════════════════════════════════════════
An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.
See https://avd.aquasec.com/misconfig/ksv014
────────────────────────────────────────
deployment.yaml:16-19
────────────────────────────────────────
16 ┌ - name: nginx-alpine
17 │ image: nginx:alpine
18 │ ports:
19 └ - containerPort: 80
────────────────────────────────────────
AVD-KSV-0015 (LOW): Container 'nginx-alpine' of Deployment 'nginx-alpine' should set 'resources.requests.cpu'
════════════════════════════════════════
When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.
See https://avd.aquasec.com/misconfig/ksv015
────────────────────────────────────────
deployment.yaml:16-19
────────────────────────────────────────
16 ┌ - name: nginx-alpine
17 │ image: nginx:alpine
18 │ ports:
19 └ - containerPort: 80
────────────────────────────────────────
AVD-KSV-0016 (LOW): Container 'nginx-alpine' of Deployment 'nginx-alpine' should set 'resources.requests.memory'
════════════════════════════════════════
When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.
See https://avd.aquasec.com/misconfig/ksv016
────────────────────────────────────────
deployment.yaml:16-19
────────────────────────────────────────
16 ┌ - name: nginx-alpine
17 │ image: nginx:alpine
18 │ ports:
19 └ - containerPort: 80
────────────────────────────────────────
AVD-KSV-0018 (LOW): Container 'nginx-alpine' of Deployment 'nginx-alpine' should set 'resources.limits.memory'
════════════════════════════════════════
Enforcing memory limits prevents DoS via resource exhaustion.
See https://avd.aquasec.com/misconfig/ksv018
────────────────────────────────────────
deployment.yaml:16-19
────────────────────────────────────────
16 ┌ - name: nginx-alpine
17 │ image: nginx:alpine
18 │ ports:
19 └ - containerPort: 80
────────────────────────────────────────
AVD-KSV-0020 (LOW): Container 'nginx-alpine' of Deployment 'nginx-alpine' should set 'securityContext.runAsUser' > 10000
════════════════════════════════════════
Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.
See https://avd.aquasec.com/misconfig/ksv020
────────────────────────────────────────
deployment.yaml:16-19
────────────────────────────────────────
16 ┌ - name: nginx-alpine
17 │ image: nginx:alpine
18 │ ports:
19 └ - containerPort: 80
────────────────────────────────────────
AVD-KSV-0021 (LOW): Container 'nginx-alpine' of Deployment 'nginx-alpine' should set 'securityContext.runAsGroup' > 10000
════════════════════════════════════════
Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.
See https://avd.aquasec.com/misconfig/ksv021
────────────────────────────────────────
deployment.yaml:16-19
────────────────────────────────────────
16 ┌ - name: nginx-alpine
17 │ image: nginx:alpine
18 │ ports:
19 └ - containerPort: 80
────────────────────────────────────────
AVD-KSV-0030 (LOW): Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'
════════════════════════════════════════
According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.
See https://avd.aquasec.com/misconfig/ksv030
────────────────────────────────────────
deployment.yaml:16-19
────────────────────────────────────────
16 ┌ - name: nginx-alpine
17 │ image: nginx:alpine
18 │ ports:
19 └ - containerPort: 80
────────────────────────────────────────
AVD-KSV-0104 (MEDIUM): container "nginx-alpine" of deployment "nginx-alpine" in "default" namespace should specify a seccomp profile
════════════════════════════════════════
A program inside the container can bypass Seccomp protection policies.
See https://avd.aquasec.com/misconfig/ksv104
────────────────────────────────────────
deployment.yaml:16-19
────────────────────────────────────────
16 ┌ - name: nginx-alpine
17 │ image: nginx:alpine
18 │ ports:
19 └ - containerPort: 80
────────────────────────────────────────
AVD-KSV-0106 (LOW): container should drop all
════════════════════════════════════════
Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.
See https://avd.aquasec.com/misconfig/ksv106
────────────────────────────────────────
deployment.yaml:16-19
────────────────────────────────────────
16 ┌ - name: nginx-alpine
17 │ image: nginx:alpine
18 │ ports:
19 └ - containerPort: 80
────────────────────────────────────────
AVD-KSV-0110 (LOW): deployment nginx-alpine in default namespace should set metadata.namespace to a non-default namespace
════════════════════════════════════════
Checks whether a workload is running in the default namespace.
See https://avd.aquasec.com/misconfig/ksv110
────────────────────────────────────────
deployment.yaml:4
────────────────────────────────────────
4 [ name: nginx-alpine
────────────────────────────────────────
AVD-KSV-0117 (MEDIUM): deployment nginx-alpine in default namespace should not set spec.template.spec.containers.ports.containerPort to less than 1024
════════════════════════════════════════
The ports which are lower than 1024 receive and transmit various sensitive and privileged data. Allowing containers to use them can bring serious implications.
See https://avd.aquasec.com/misconfig/ksv117
────────────────────────────────────────
AVD-KSV-0118 (HIGH): container nginx-alpine in default namespace is using the default security context
════════════════════════════════════════
Security context controls the allocation of security parameters for the pod/container/volume, ensuring the appropriate level of protection. Relying on default security context may expose vulnerabilities to potential attacks that rely on privileged access.
See https://avd.aquasec.com/misconfig/ksv118
────────────────────────────────────────
deployment.yaml:16-19
────────────────────────────────────────
16 ┌ - name: nginx-alpine
17 │ image: nginx:alpine
18 │ ports:
19 └ - containerPort: 80
────────────────────────────────────────
AVD-KSV-0118 (HIGH): deployment nginx-alpine in default namespace is using the default security context, which allows root privileges
════════════════════════════════════════
Security context controls the allocation of security parameters for the pod/container/volume, ensuring the appropriate level of protection. Relying on default security context may expose vulnerabilities to potential attacks that rely on privileged access.
See https://avd.aquasec.com/misconfig/ksv118
────────────────────────────────────────
deployment.yaml:15-19
────────────────────────────────────────
15 ┌ containers:
16 │ - name: nginx-alpine
17 │ image: nginx:alpine
18 │ ports:
19 └ - containerPort: 80
────────────────────────────────────────
PS C:\...\trivy-test> trivy fs .\vue3-main -s MEDIUM,HIGH,CRITICAL
2025-10-03T17:15:42+09:00 INFO [vuln] Vulnerability scanning is enabled
2025-10-03T17:15:42+09:00 INFO [secret] Secret scanning is enabled
2025-10-03T17:15:42+09:00 INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-10-03T17:15:42+09:00 INFO [secret] Please see https://trivy.dev/v0.67/docs/scanner/secret#recommendation for faster secret detection
2025-10-03T17:15:42+09:00 INFO [npm] To collect the license information of packages, "npm install" needs to be performed beforehand dir="hello-project/node_modules"
2025-10-03T17:15:42+09:00 INFO [npm] To collect the license information of packages, "npm install" needs to be performed beforehand dir="my-vue3-todo/node_modules"
2025-10-03T17:15:42+09:00 INFO [npm] To collect the license information of packages, "npm install" needs to be performed beforehand dir="vue-router/node_modules"
2025-10-03T17:15:42+09:00 INFO Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2025-10-03T17:15:42+09:00 INFO Number of language-specific files num=3
2025-10-03T17:15:42+09:00 INFO [npm] Detecting vulnerabilities...
Report Summary
┌─────────────────────────────────┬──────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├─────────────────────────────────┼──────┼─────────────────┼─────────┤
│ hello-project/package-lock.json │ npm │ 1 │ - │
├─────────────────────────────────┼──────┼─────────────────┼─────────┤
│ my-vue3-todo/package-lock.json │ npm │ 1 │ - │
├─────────────────────────────────┼──────┼─────────────────┼─────────┤
│ vue-router/package-lock.json │ npm │ 1 │ - │
└─────────────────────────────────┴──────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
hello-project/package-lock.json (npm)
=====================================
Total: 1 (MEDIUM: 1, HIGH: 0, CRITICAL: 0)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────┤
│ nanoid │ CVE-2024-55565 │ MEDIUM │ fixed │ 3.3.7 │ 5.0.9, 3.3.8 │ nanoid: nanoid mishandles non-integer values │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-55565 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────┘
my-vue3-todo/package-lock.json (npm)
====================================
Total: 1 (MEDIUM: 1, HIGH: 0, CRITICAL: 0)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────┤
│ nanoid │ CVE-2024-55565 │ MEDIUM │ fixed │ 3.3.7 │ 5.0.9, 3.3.8 │ nanoid: nanoid mishandles non-integer values │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-55565 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────┘
vue-router/package-lock.json (npm)
==================================
Total: 1 (MEDIUM: 1, HIGH: 0, CRITICAL: 0)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────┤
│ nanoid │ CVE-2024-55565 │ MEDIUM │ fixed │ 3.3.7 │ 5.0.9, 3.3.8 │ nanoid: nanoid mishandles non-integer values │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-55565 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────┘
PS C:\...\trivy-test>
PS C:\...\trivy-test>trivy image ubuntu:rolling
2025-10-03T17:19:37+09:00 INFO [vuln] Vulnerability scanning is enabled
2025-10-03T17:19:37+09:00 INFO [secret] Secret scanning is enabled
2025-10-03T17:19:37+09:00 INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-10-03T17:19:37+09:00 INFO [secret] Please see https://trivy.dev/v0.67/docs/scanner/secret#recommendation for faster secret detection
2025-10-03T17:19:37+09:00 INFO Detected OS family="ubuntu" version="25.04"
2025-10-03T17:19:37+09:00 INFO [ubuntu] Detecting vulnerabilities... os_version="25.04" pkg_num=87
2025-10-03T17:19:37+09:00 INFO Number of language-specific files num=0
Report Summary
┌───────────────────────────────┬────────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├───────────────────────────────┼────────┼─────────────────┼─────────┤
│ ubuntu:rolling (ubuntu 25.04) │ ubuntu │ 17 │ - │
└───────────────────────────────┴────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
ubuntu:rolling (ubuntu 25.04)
=============================
Total: 17 (UNKNOWN: 0, LOW: 7, MEDIUM: 10, HIGH: 0, CRITICAL: 0)
┌─────────────────────────┬────────────────┬──────────┬──────────┬──────────────────────┬──────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────────────────────┼────────────────┼──────────┼──────────┼──────────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ coreutils │ CVE-2016-2781 │ LOW │ affected │ 9.5-1ubuntu1.25.04.2 │ │ coreutils: Non-privileged session can escape to the parent │
│ │ │ │ │ │ │ session in chroot │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2016-2781 │
├─────────────────────────┼────────────────┤ │ ├──────────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ gpgv │ CVE-2022-3219 │ │ │ 2.4.4-2ubuntu23.1 │ │ gnupg: denial of service issue (resource consumption) using │
│ │ │ │ │ │ │ compressed packets │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-3219 │
├─────────────────────────┼────────────────┤ │ ├──────────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libgcrypt20 │ CVE-2024-2236 │ │ │ 1.11.0-6ubuntu1 │ │ libgcrypt: vulnerable to Marvin Attack │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-2236 │
├─────────────────────────┼────────────────┼──────────┤ ├──────────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libpam-modules │ CVE-2025-8941 │ MEDIUM │ │ 1.5.3-7ubuntu4.4 │ │ linux-pam: Incomplete fix for CVE-2025-6020 │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-8941 │
├─────────────────────────┤ │ │ │ ├──────────────────┤ │
│ libpam-modules-bin │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
├─────────────────────────┤ │ │ │ ├──────────────────┤ │
│ libpam-runtime │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
├─────────────────────────┤ │ │ │ ├──────────────────┤ │
│ libpam0g │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
├─────────────────────────┼────────────────┤ ├──────────┼──────────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libpcre2-8-0 │ CVE-2025-58050 │ │ fixed │ 10.45-1 │ 10.45-1ubuntu0.1 │ pcre2: PCRE2: heap-buffer-overflow read in match_ref due to │
│ │ │ │ │ │ │ missing boundary restoration in... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-58050 │
├─────────────────────────┼────────────────┤ │ ├──────────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ libssl3t64 │ CVE-2025-9230 │ │ │ 3.4.1-1ubuntu3 │ 3.4.1-1ubuntu4 │ openssl: Out-of-bounds read & write in RFC 3211 KEK Unwrap │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-9230 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-9231 │ │ │ │ │ openssl: Timing side-channel in SM2 algorithm on 64 bit ARM │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-9231 │
│ ├────────────────┼──────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-9232 │ LOW │ │ │ │ openssl: Out-of-bounds read in HTTP client no_proxy handling │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-9232 │
├─────────────────────────┼────────────────┤ ├──────────┼──────────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ login.defs │ CVE-2024-56433 │ │ affected │ 1:4.16.0-7ubuntu1 │ │ shadow-utils: Default subordinate ID configuration in │
│ │ │ │ │ │ │ /etc/login.defs could lead to compromise │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-56433 │
├─────────────────────────┼────────────────┼──────────┼──────────┼──────────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ openssl-provider-legacy │ CVE-2025-9230 │ MEDIUM │ fixed │ 3.4.1-1ubuntu3 │ 3.4.1-1ubuntu4 │ openssl: Out-of-bounds read & write in RFC 3211 KEK Unwrap │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-9230 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-9231 │ │ │ │ │ openssl: Timing side-channel in SM2 algorithm on 64 bit ARM │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-9231 │
│ ├────────────────┼──────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-9232 │ LOW │ │ │ │ openssl: Out-of-bounds read in HTTP client no_proxy handling │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-9232 │
├─────────────────────────┼────────────────┤ ├──────────┼──────────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ passwd │ CVE-2024-56433 │ │ affected │ 1:4.16.0-7ubuntu1 │ │ shadow-utils: Default subordinate ID configuration in │
│ │ │ │ │ │ │ /etc/login.defs could lead to compromise │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-56433 │
├─────────────────────────┼────────────────┼──────────┤ ├──────────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤
│ tar │ CVE-2025-45582 │ MEDIUM │ │ 1.35+dfsg-3.1 │ │ tar: Tar path traversal │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-45582 │
└─────────────────────────┴────────────────┴──────────┴──────────┴──────────────────────┴──────────────────┴──────────────────────────────────────────────────────────────┘
PS C:\...\trivy-test>
PS C:\...\trivy-test>trivy config ./targets -s HIGH,CRITICAL
2025-10-03T17:20:20+09:00 INFO [misconfig] Misconfiguration scanning is enabled
2025-10-03T17:20:20+09:00 INFO Detected config files num=2
Report Summary
┌─────────────────┬────────────┬───────────────────┐
│ Target │ Type │ Misconfigurations │
├─────────────────┼────────────┼───────────────────┤
│ Dockerfile │ dockerfile │ 1 │
├─────────────────┼────────────┼───────────────────┤
│ deployment.yaml │ kubernetes │ 3 │
└─────────────────┴────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
Dockerfile (dockerfile)
=======================
Tests: 20 (SUCCESSES: 19, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)
AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────
deployment.yaml (kubernetes)
============================
Tests: 23 (SUCCESSES: 20, FAILURES: 3)
Failures: 3 (HIGH: 3, CRITICAL: 0)
AVD-KSV-0014 (HIGH): Container 'nginx-alpine' of Deployment 'nginx-alpine' should set 'securityContext.readOnlyRootFilesystem' to true
════════════════════════════════════════
An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.
See https://avd.aquasec.com/misconfig/ksv014
────────────────────────────────────────
deployment.yaml:16-19
────────────────────────────────────────
16 ┌ - name: nginx-alpine
17 │ image: nginx:alpine
18 │ ports:
19 └ - containerPort: 80
────────────────────────────────────────
AVD-KSV-0118 (HIGH): container nginx-alpine in default namespace is using the default security context
════════════════════════════════════════
Security context controls the allocation of security parameters for the pod/container/volume, ensuring the appropriate level of protection. Relying on default security context may expose vulnerabilities to potential attacks that rely on privileged access.
See https://avd.aquasec.com/misconfig/ksv118
────────────────────────────────────────
deployment.yaml:16-19
────────────────────────────────────────
16 ┌ - name: nginx-alpine
17 │ image: nginx:alpine
18 │ ports:
19 └ - containerPort: 80
────────────────────────────────────────
AVD-KSV-0118 (HIGH): deployment nginx-alpine in default namespace is using the default security context, which allows root privileges
════════════════════════════════════════
Security context controls the allocation of security parameters for the pod/container/volume, ensuring the appropriate level of protection. Relying on default security context may expose vulnerabilities to potential attacks that rely on privileged access.
See https://avd.aquasec.com/misconfig/ksv118
────────────────────────────────────────
deployment.yaml:15-19
────────────────────────────────────────
15 ┌ containers:
16 │ - name: nginx-alpine
17 │ image: nginx:alpine
18 │ ports:
19 └ - containerPort: 80
────────────────────────────────────────
PS C:\...\trivy-test>
PS C:\...\trivy-test>trivy fs .\vue3-main -s MEDIUM,HIGH,CRITICAL
2025-10-03T17:21:05+09:00 INFO [vuln] Vulnerability scanning is enabled
2025-10-03T17:21:05+09:00 INFO [secret] Secret scanning is enabled
2025-10-03T17:21:05+09:00 INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-10-03T17:21:05+09:00 INFO [secret] Please see https://trivy.dev/v0.67/docs/scanner/secret#recommendation for faster secret detection
2025-10-03T17:21:05+09:00 INFO [npm] To collect the license information of packages, "npm install" needs to be performed beforehand dir="hello-project/node_modules"
2025-10-03T17:21:05+09:00 INFO [npm] To collect the license information of packages, "npm install" needs to be performed beforehand dir="my-vue3-todo/node_modules"
2025-10-03T17:21:05+09:00 INFO [npm] To collect the license information of packages, "npm install" needs to be performed beforehand dir="vue-router/node_modules"
2025-10-03T17:21:05+09:00 INFO Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2025-10-03T17:21:05+09:00 INFO Number of language-specific files num=3
2025-10-03T17:21:05+09:00 INFO [npm] Detecting vulnerabilities...
Report Summary
┌─────────────────────────────────┬──────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├─────────────────────────────────┼──────┼─────────────────┼─────────┤
│ hello-project/package-lock.json │ npm │ 1 │ - │
├─────────────────────────────────┼──────┼─────────────────┼─────────┤
│ my-vue3-todo/package-lock.json │ npm │ 1 │ - │
├─────────────────────────────────┼──────┼─────────────────┼─────────┤
│ vue-router/package-lock.json │ npm │ 1 │ - │
└─────────────────────────────────┴──────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
hello-project/package-lock.json (npm)
=====================================
Total: 1 (MEDIUM: 1, HIGH: 0, CRITICAL: 0)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────┤
│ nanoid │ CVE-2024-55565 │ MEDIUM │ fixed │ 3.3.7 │ 5.0.9, 3.3.8 │ nanoid: nanoid mishandles non-integer values │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-55565 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────┘
my-vue3-todo/package-lock.json (npm)
====================================
Total: 1 (MEDIUM: 1, HIGH: 0, CRITICAL: 0)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────┤
│ nanoid │ CVE-2024-55565 │ MEDIUM │ fixed │ 3.3.7 │ 5.0.9, 3.3.8 │ nanoid: nanoid mishandles non-integer values │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-55565 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────┘
vue-router/package-lock.json (npm)
==================================
Total: 1 (MEDIUM: 1, HIGH: 0, CRITICAL: 0)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────┤
│ nanoid │ CVE-2024-55565 │ MEDIUM │ fixed │ 3.3.7 │ 5.0.9, 3.3.8 │ nanoid: nanoid mishandles non-integer values │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-55565 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────┘
PS C:\...\trivy-test>
PS C:\...\trivy-test>trivy fs -s HIGH,CRITICAL --scanners misconfig .\targets
2025-10-03T17:21:44+09:00 INFO [misconfig] Misconfiguration scanning is enabled
2025-10-03T17:21:45+09:00 INFO Number of language-specific files num=0
2025-10-03T17:21:45+09:00 INFO Detected config files num=2
Report Summary
┌─────────────────┬────────────┬───────────────────┐
│ Target │ Type │ Misconfigurations │
├─────────────────┼────────────┼───────────────────┤
│ Dockerfile │ dockerfile │ 1 │
├─────────────────┼────────────┼───────────────────┤
│ deployment.yaml │ kubernetes │ 3 │
└─────────────────┴────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
Dockerfile (dockerfile)
=======================
Tests: 20 (SUCCESSES: 19, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)
AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────
deployment.yaml (kubernetes)
============================
Tests: 23 (SUCCESSES: 20, FAILURES: 3)
Failures: 3 (HIGH: 3, CRITICAL: 0)
AVD-KSV-0014 (HIGH): Container 'nginx-alpine' of Deployment 'nginx-alpine' should set 'securityContext.readOnlyRootFilesystem' to true
════════════════════════════════════════
An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.
See https://avd.aquasec.com/misconfig/ksv014
────────────────────────────────────────
deployment.yaml:16-19
────────────────────────────────────────
16 ┌ - name: nginx-alpine
17 │ image: nginx:alpine
18 │ ports:
19 └ - containerPort: 80
────────────────────────────────────────
AVD-KSV-0118 (HIGH): container nginx-alpine in default namespace is using the default security context
════════════════════════════════════════
Security context controls the allocation of security parameters for the pod/container/volume, ensuring the appropriate level of protection. Relying on default security context may expose vulnerabilities to potential attacks that rely on privileged access.
See https://avd.aquasec.com/misconfig/ksv118
────────────────────────────────────────
deployment.yaml:16-19
────────────────────────────────────────
16 ┌ - name: nginx-alpine
17 │ image: nginx:alpine
18 │ ports:
19 └ - containerPort: 80
────────────────────────────────────────
AVD-KSV-0118 (HIGH): deployment nginx-alpine in default namespace is using the default security context, which allows root privileges
════════════════════════════════════════
Security context controls the allocation of security parameters for the pod/container/volume, ensuring the appropriate level of protection. Relying on default security context may expose vulnerabilities to potential attacks that rely on privileged access.
See https://avd.aquasec.com/misconfig/ksv118
────────────────────────────────────────
deployment.yaml:15-19
────────────────────────────────────────
15 ┌ containers:
16 │ - name: nginx-alpine
17 │ image: nginx:alpine
18 │ ports:
19 └ - containerPort: 80
────────────────────────────────────────
PS C:\...\trivy-test>
