Containers are at the heart of modern DevOps workflows, but they’re not immune to vulnerabilities. That’s where Trivy comes in! Trivy is a powerful, open-source vulnerability scanner that makes securing your container images straightforward and effective. In this post, we’ll explore how to use Trivy to scan Docker images and ensure your applications are secure.
Why Trivy?
Trivy is a versatile and easy-to-use tool that helps you:
- Detect vulnerabilities in container images and application dependencies.
- Identify misconfigurations in Dockerfiles and Kubernetes manifests.
- Ensure compliance with security standards, such as CIS Benchmarks.
Key Benefits:
- Fast and Comprehensive Scanning: Supports both OS and application libraries.
- Wide Ecosystem Support: Works with Docker, Kubernetes, CI/CD pipelines, and more.
- Open Source: Free to use and continuously updated by Aqua Security.
Getting Started with Trivy
Step 1: Install Trivy
Linux Installation
sudo apt-get install wget apt-transport-https gnupg lsb-release -y
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
MacOS Installation
brew install aquasecurity/trivy/trivy
Windows Installation
Use PowerShell with Chocolatey:
choco install trivy
Verify the installation:
trivy --version
Step 2: Scanning a Docker Image
Basic Command
To scan a Docker image for vulnerabilities, use:
trivy image <image_name>:<tag>
Example:
Scan the official NGINX image:
trivy image nginx:latest
Sample Output:
nginx:latest (debian 11.7)
Total: 5 (CRITICAL: 1, HIGH: 2, MEDIUM: 1, LOW: 1)
+------------+------------------+----------+--------------------------------+--------------------------------+---------------------------------------+
| Library | Vulnerability ID | Severity | Installed Version | Fixed Version | Title |
+------------+------------------+----------+--------------------------------+--------------------------------+---------------------------------------+
| libzstd1 | CVE-2023-34251 | HIGH | 1.4.8+dfsg-3 | 1.4.8+dfsg-3+deb11u2 | zstd: Double free |
+------------+------------------+----------+--------------------------------+--------------------------------+---------------------------------------+
Step 3: Advanced Scanning Options
1. Skip Pulling the Image
If the image is already present locally:
trivy image --skip-update nginx:latest
2. Filter by Severity
Focus on critical and high-severity issues:
trivy image --severity CRITICAL,HIGH nginx:latest
3. Output Results as JSON
Save the scan report for further analysis:
trivy image --format json --output results.json nginx:latest
4. Ignore Unfixable Issues
Exclude vulnerabilities without fixes:
trivy image --ignore-unfixed nginx:latest
5. Scan Specific Vulnerability Types
Target OS vulnerabilities, application libraries, or both:
trivy image --vuln-type os,library nginx:latest
Step 4: Automate Scanning in CI/CD Pipelines
Example: Azure Devops
Use Trivy in your Azure Devops workflow to enforce security checks:
name: Trivy Scan
on:
push:
branches:
- main
jobs:
scan:
runs-on: Agentpool #your agent pool or any which you want
steps:
- name: Checkout Code
uses: actions/checkout@v3
- name: Run Trivy Scan
uses: aquasecurity/trivy-action@v0.9.1
with:
image-ref: 'nginx:latest'
Example: AzureDeops Pipeline
pipeline {
agent any
stages {
stage('Vulnerability Scan') {
steps {
sh 'trivy image nginx:latest'
}
}
}
}
Step 5: Best Practices
1.Update the Vulnerability Database Keep the database current
to ensure the latest vulnerabilities are detected:
trivy image --update nginx:latest
2.Focus on Fixing Critical Issues Prioritize addressing
CRITICAL and HIGH vulnerabilities first to minimize risk.
3.Integrate Scanning Early Shift security left by integrating
Trivy scans into your CI/CD pipelines.
Final Thoughts
Trivy makes vulnerability scanning easy, fast, and effective. Whether you're working with container images, IaC, or application dependencies, it’s a must-have tool for your DevSecOps toolkit.
Want to explore more about Trivy? Check out the official documentation. Start scanning today and keep your applications secure!
Top comments (0)