Head over to the application and load a Trivy report .json file. For example, to scan an outdated alpine image, you can run the following command to create an alpine-3.9.2.json
report.
trivy i -f json -o alpine-3.9.2.json alpine:3.9.2
Now load this file in the vulnerability explorer and start exploring. You can filter by term or click one of the categories in the filter bar to dig into the data.
The data never leaves your browser, because all processing is handled inside your browser. Of course you can feel free to fork this project and deploy your own version. If you do so, I would be happy if you leave me a comment and a star on the repository.
If you are using a GitLab Job to generate the Trivy report, you can supply a direct URL to the json file. The app will fetch the report and display the results without the hassle to first download the file. You might need to provide a token for authentication, you can do that by clicking the shield symbol next to the URL field. Make sure to create a personal access token with the scope read_api
. The token will be persisted in the local storage, so that you can reuse it the next time you want to load a report from the same GitLab instance.
You can pass a query parameter url
to the app, and it will load a file from this url on startup. It is a good idea to print the URL of the vulnerability explorer at the end of the job log, so that the user can jump directly to the vulnerability report. If the name of the report is trivy-results.json
, the url schema would look like this:
https://dbsystel.github.io/trivy-vulnerability-explorer/#/?url=https://$CI_SERVER_URL/api/v4/projects/$CI_PROJECT_ID/jobs/$CI_JOB_ID/artifacts/trivy-results.json
Caution
|
There was a recent change in the implementation of the Routing, make sure to include the # within the URL, otherwise this feature will not work.
|
Note
|
While the feature was built having GitLab in mind, it should work for every artifact storage, where the json can be downloaded with a GET HTTP request that needs at most a single HTTP header for authentication. |
This project is licensed under Apache-2.0