---
name: trivy-offline-vulnerability-scanning
description: Use Trivy in offline mode to scan dependency files for security vulnerabilities without requiring internet access.
---

# Trivy Offline Vulnerability Scanning

Trivy can be used to scan package manager lock files (like `package-lock.json`, `yarn.lock`, `Cargo.lock`) in offline mode by utilizing a pre-downloaded vulnerability database.

## Prerequisites
- Trivy binary installed and available in the PATH.
- A local Trivy database (typically located in `~/.cache/trivy/db`).

## Usage Pattern

To perform an offline scan of a filesystem path and output the results in JSON format:

```bash
trivy fs --offline-scan --format json --output report.json <path_to_file_or_dir>
```

### Filtering by Severity
While you can filter in the command line using `--severity`, it's often better to get the full report and filter during processing to ensure no data is lost for further analysis.

```bash
trivy fs --offline-scan --severity HIGH,CRITICAL --format json <path>
```

## JSON Report Structure
The JSON output contains a `Results` array. Each element in `Results` corresponds to a target (e.g., a file) and contains a `Vulnerabilities` array.

Each vulnerability object typically includes:
- `VulnerabilityID` (e.g., CVE-2023-1234)
- `PkgName`
- `InstalledVersion`
- `FixedVersion`
- `PrimaryURL`
- `Title`
- `Description`
- `Severity`
- `CVSS` (a map of sources to CVSS scores)