Anil's Devops Journey


Anil's Devops Journey

Trivy Security Scanner

Trivy Security Scanner

Anil Appari's photo
Anil Appari
·Sep 25, 2022·

3 min read

Trivy is a security scanning tool. It can be used to scan targets such as Docker Image, Filesystem, Git repository, Kubernetes cluster or resource.

In what use case Trivy can be used ?

I use it within the Jenkins pipeline to scan Docker Images for finding out vulnerabilities & fail the pipelines if found any.

Best thing about Trivy is

  • scanning is fast & easy to start with
  • output can be generated in different formats
  • can be integrated with CI like Jenkins, Github Actions

This article will be focused on Trivy installation & scanning a docker image.

Install Docker

$ curl -fsSl | sudo bash

Installation of Trivy in Ubuntu

$ sudo apt-get install wget apt-transport-https gnupg lsb-release -y

$ wget -qO - | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null

$ echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list

$ sudo apt-get update
$ sudo apt-get install trivy -y

Go to Trivy, for other installation process.

Check installed version

$ trivy -v
Version: 0.32.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-09-25 00:15:47.693806446 +0000 UTC
  NextUpdate: 2022-09-25 06:15:47.693806046 +0000 UTC
  DownloadedAt: 2022-09-25 04:53:02.836952098 +0000 UTC

Let's pull some docker images to scan

$ sudo docker pull node:current-alpine3.16
$ sudo docker pull node:latest

Scan Images

Command to scan docker image is

$ trivy image <docker_image:tag>

$ trivy image node:current-alpine3.16

node:current-alpine3.16 (alpine 3.16.2)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

As the result is showing 0 vulnerabilities. Let's try with another image.

$ trivy image node:latest

2022-09-25T05:45:46.025Z        INFO    Vulnerability scanning is enabled
2022-09-25T05:45:46.025Z        INFO    Secret scanning is enabled
2022-09-25T05:45:46.025Z        INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-09-25T05:45:46.026Z        INFO    Please see also for faster secret detection
2022-09-25T05:45:46.259Z        INFO    Detected OS: debian
2022-09-25T05:45:46.259Z        INFO    Detecting Debian vulnerabilities...
2022-09-25T05:45:46.474Z        INFO    Number of language-specific files: 1
2022-09-25T05:45:46.474Z        INFO    Detecting node-pkg vulnerabilities...

node:latest (debian 11.5)

Total: 1130 (UNKNOWN: 0, LOW: 576, MEDIUM: 220, HIGH: 318, CRITICAL: 16)

Chech the full output at Github

From the scan output, it was clear that many libraries are vulnerable in the node:latest

We can check for only critical severity vulnerabilities as below

$ trivy image --severity CRITICAL node:latest
node:latest (debian 11.5)

Total: 16 (CRITICAL: 16)

Check output at Gituhub Replace CRITICAL with either LOW / MEDIUM /HIGH

Now, try combining severities

$ trivy image --severity HIGH,LOW node:latest

Let's try changing the output format

$ trivy image -f json node:latest

Check output at Github

Save the output into a file with -o option

$ trivy image -f json -o trivy_node_output.json node:latest

If you are familiar with jq, you can use it to filter the json output.

$ cat trivy_node_output.json | jq '.Results[].Vulnerabilities[].Severity' | grep 'CRITICAL' | wc -l

-> 16

Even though these images are from official docker hub repository, there will be several unwanted packages installed.

To reduce vulnerabilities in your docker images, try to create your own base docker image for the applications. By doing this, you will have clear understanding of what your application needs for running perfectly.

Thanks for reading :)

Check the blog for more articles.

Share this