Trivy can scan container images and filesystems without an internet connection, a crucial capability for air-gapped environments.
Let’s see Trivy in action on a local, air-gapped system. Imagine you have a custom-built container image, my-app:latest, that you need to scan for vulnerabilities.
First, you’ll need to download the Trivy binary and its vulnerability database to a machine that does have internet access.
On the internet-connected machine:
# Download the latest Trivy binary for your architecture
curl -sfL https://aquasecurity.github.io/trivy/releases/install.sh | sh -s -- -b /usr/local/bin v0.45.1
# Download the full vulnerability database
trivy image --download-db-only
This downloads the Trivy executable and populates ~/.cache/trivy/ with the vulnerability data. Now, you need to package this up for transfer to your air-gapped system. The easiest way is to create a tarball of the cache directory.
# Create a tarball of the Trivy cache directory
tar -czvf trivy-cache.tar.gz ~/.cache/trivy
Transfer trivy-cache.tar.gz and the trivy binary (or the install script if you prefer to run it again on the air-gapped machine) to your air-gapped environment.
On the air-gapped system:
First, ensure Trivy is installed. You can copy the binary or rerun the install script. Then, restore the vulnerability database:
# Extract the cached trivy database
tar -xzvf trivy-cache.tar.gz -C ~/.cache/
Now, you can scan your local container image. Trivy will use the database you just restored, and since you’re not specifying an image name that requires fetching from a registry (like ubuntu:latest), it will operate entirely offline.
# Scan your local container image using the offline database
trivy image my-app:latest
This command will inspect my-app:latest for known vulnerabilities in its OS packages and application dependencies, leveraging the downloaded database.
The core problem Trivy solves in this scenario is the inability to fetch vulnerability intelligence in real-time from online feeds. By downloading the database beforehand, you effectively bring the "knowledge" of known vulnerabilities into the isolated environment. Trivy’s architecture allows it to be pointed at local data sources, making this offline mode seamless. The trivy image --download-db-only command is the key to populating the local cache, and the subsequent tar and extract commands are the mechanism for transferring that intelligence.
What most people don’t realize is that the vulnerability database is not just a static dump; it’s structured in a way that Trivy can efficiently query it. When you run trivy image my-app:latest offline, it’s not doing a full filesystem scan and then comparing against a giant text file. Instead, it identifies the OS and packages within your image (e.g., Alpine Linux 3.18, Nginx 1.24.0) and then queries its local database for known CVEs associated with those specific components and versions. This indexed lookup is what makes offline scanning performant.
The next challenge you’ll face is managing the updates to this offline database, ensuring your air-gapped system has reasonably current vulnerability intelligence without direct internet access.