Trivy is a security scanning tool. It can be used to scan targets such as Docker Image, Filesystem, Git repository, Kubernetes cluster or resource.
In what use case Trivy can be used ?
I use it within the Jenkins pipeline to scan Docker Images for finding out vulnerabilities & fail the pipelines if found any.
Best thing about Trivy is
- scanning is fast & easy to start with
- output can be generated in different formats
- can be integrated with CI like Jenkins, Github Actions
This article will be focused on Trivy installation & scanning a docker image.
Install Docker
$ curl -fsSl https://get.docker.com | sudo bash
Installation of Trivy in Ubuntu
$ sudo apt-get install wget apt-transport-https gnupg lsb-release -y
$ wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
$ echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
$ sudo apt-get update
$ sudo apt-get install trivy -y
Go to Trivy, for other installation process.
Check installed version
$ trivy -v
->
Version: 0.32.0
Vulnerability DB:
Version: 2
UpdatedAt: 2022-09-25 00:15:47.693806446 +0000 UTC
NextUpdate: 2022-09-25 06:15:47.693806046 +0000 UTC
DownloadedAt: 2022-09-25 04:53:02.836952098 +0000 UTC
Let's pull some docker images to scan
$ sudo docker pull node:current-alpine3.16
$ sudo docker pull node:latest
Scan Images
Command to scan docker image is
$ trivy image <docker_image:tag>
$ trivy image node:current-alpine3.16
->
node:current-alpine3.16 (alpine 3.16.2)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
As the result is showing 0 vulnerabilities. Let's try with another image.
$ trivy image node:latest
->
2022-09-25T05:45:46.025Z INFO Vulnerability scanning is enabled
2022-09-25T05:45:46.025Z INFO Secret scanning is enabled
2022-09-25T05:45:46.025Z INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-09-25T05:45:46.026Z INFO Please see also https://aquasecurity.github.io/trivy/v0.32/docs/secret/scanning/#recommendation for faster secret detection
2022-09-25T05:45:46.259Z INFO Detected OS: debian
2022-09-25T05:45:46.259Z INFO Detecting Debian vulnerabilities...
2022-09-25T05:45:46.474Z INFO Number of language-specific files: 1
2022-09-25T05:45:46.474Z INFO Detecting node-pkg vulnerabilities...
node:latest (debian 11.5)
Total: 1130 (UNKNOWN: 0, LOW: 576, MEDIUM: 220, HIGH: 318, CRITICAL: 16)
Chech the full output at Github
From the scan output, it was clear that many libraries are vulnerable in the node:latest
We can check for only critical severity vulnerabilities as below
$ trivy image --severity CRITICAL node:latest
........
........
node:latest (debian 11.5)
Total: 16 (CRITICAL: 16)
Check output at Gituhub Replace CRITICAL with either LOW / MEDIUM /HIGH
Now, try combining severities
$ trivy image --severity HIGH,LOW node:latest
Let's try changing the output format
$ trivy image -f json node:latest
Check output at Github
Save the output into a file with -o option
$ trivy image -f json -o trivy_node_output.json node:latest
If you are familiar with jq, you can use it to filter the json output.
$ cat trivy_node_output.json | jq '.Results[].Vulnerabilities[].Severity' | grep 'CRITICAL' | wc -l
-> 16
Even though these images are from official docker hub repository, there will be several unwanted packages installed.
To reduce vulnerabilities in your docker images, try to create your own base docker image for the applications. By doing this, you will have clear understanding of what your application needs for running perfectly.
Thanks for reading :)
Check the blog for more articles.