Can trivy be used to scan a host operating system ?

[liorkesos]

I'm looking to collect sbom and security information from the host operating system (in this case ubuntu) and several docker-compose installed on it.
The docker format is straightforward but I'd like to use the same tooling to collect sbom get security info or misconfigured from the host operating system as well...

[knqyf263]

Yes, you can use the rootfs subcommand. We may merge rootfs into fs in the near future, but rootfs is available now.
https://aquasecurity.github.io/trivy/v0.30.4/docs/vulnerability/scanning/rootfs/

$ trivy rootfs --format cyclonedx --output host.cdx.json /

[knqyf263]

Please see the log message.

[knqyf263]

If your image is large, it take a while to scan. You can also use --skip-dirs.
https://aquasecurity.github.io/trivy/v0.30.4/docs/vulnerability/examples/others/#skip-directories

[trevor-vaughan]

@knqyf263 If you merge fs and rootfs we REALLY need the ability to ignore dev dependencies as a flag. See #1350

[knqyf263]

We welcome contribution.

[trevor-vaughan]

@knqyf263 This was more of a "please don't break X" based on your feature merge statement. One of the reasons I currently use trivy over other solutions is that I don't have to roll a container image.

That said, I'm hoping to get time to contribute to fix some of these things in the future.