Day 2 — Trivy — Open Source Scanner for Container Images, FileSystem and Repositories

Reference:

If you want to check the previous day’s blog, please register using the below link

The main idea behind Trivy is to scan container images, filesystem, and remote repository so that they don’t have any known security vulnerabilities. But before we dig deeper into Trivy, let’s start with some security basics.

What is Vulnerability?

As per Wikipedia, “In computer security, a vulnerability is a weakness which can be exploited by a threat actor, such as an attacker, to cross privilege boundaries (i.e. perform unauthorized actions) within a computer system.”

Some un-famous software vulnerabilities:

  • Meltdown
  • Dirty Cow
  • Heartbleed
  • Shellshock

You need to understand how this vulnerability will impact your system as if these vulnerabilities are present in your system. You need to deal with it immediately, as if you don’t do this, an attacker can exploit your system. The first place where you can check these vulnerabilities is CVE.

What is CVE?

CVE is short for Common Vulnerabilities and Exposures, and it’s the list of publicly disclosed computer security flaws with a unique identifier called CVE ID assigned to it.

Reference:

You need a tool or scanner to identify these known vulnerabilities and whether your system is impacted due to it, and one such scanner is trivy.

Trivy Installation

Installing Trivy is straightforward, follow the instruction based on your distribution

sudo apt-get updatesudo apt-get install wget apt-transport-https gnupg lsb-releasewget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list sudo apt-get update sudo apt-get install trivy
# trivy --version
Version: 0.20.1

How Trivy Works

The way trivy works is:

  • It identifies the package and version in the image.
  • It then cross-references with the vulnerability database and downloads it(Full database(Bolt DB)(default)or you can specify — light mode, it’s faster, but vulnerability descriptions and references are not displayed (default: false))
  • From specific Linux distributions, it downloads security advisory(RedHat, Debian, Ubuntu, etc.)
trivy image alpine:3.10.22021-10-25T07:14:51.154-0700 INFO Need to update DB2021-10-25T07:14:51.154-0700 INFO Downloading DB...24.43 MiB / 24.43 MiB [------------------------------------------------------------------------------------------------------] 100.00% 6.19 MiB p/s 4s2021-10-25T07:15:15.099-0700 INFO Detected OS: alpine2021-10-25T07:15:15.099-0700 INFO Detecting Alpine vulnerabilities...2021-10-25T07:15:15.102-0700 INFO Number of language-specific files: 02021-10-25T07:15:15.102-0700 WARN This OS version is no longer supported by the distribution: alpine 3.10.22021-10-25T07:15:15.102-0700 WARN The vulnerability detection may be insufficient because security updates are not providedalpine:3.10.2 (alpine 3.10.2)=============================Total: 28 (UNKNOWN: 0, LOW: 4, MEDIUM: 14, HIGH: 9, CRITICAL: 1)
  • To scan an image using trivy, use the below command
trivy image <image:name>
  • As you can see, the below nginx image(nginx:alpine) has a total of 6 vulnerabilities with Severity of (Critical, Medium, and High).
  • If you only want to see vulnerability with Severity of type Critical
  • You can mention multiple severities on a single line using
--severity CRITICAL,HIGH
  • If you want to scan a docker container using trivy you can do it by passing -i option.
  • You can use trivy to detect any misconfiguration in your configuration file. E.g., to detect misconfiguration in the below Pod definition file, pass the conf option to the trivy command
# cat configs/security-context.yaml 
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo
spec:
securityContext:
runAsUser: 0
runAsGroup: 3000
fsGroup: 2000
volumes:
- name: sec-ctx-vol
emptyDir: {}
containers:
- name: sec-ctx-demo
image: busybox
command: [ "sh", "-c", "sleep 1h" ]
volumeMounts:
- name: sec-ctx-vol
mountPath: /data/demo
securityContext:
allowPrivilegeEscalation: false
  • You can use trivy with your CI/CD system. E.g., in the below case, if there is any CRITICAL severity found in your image, then your pipeline should fail, and this can be done by mentioning the — exit-code 1
trivy image --exit-code 1 --severity critical <image name>> trivy image --exit-code 1 --severity CRITICAL alpine:3.10.22021-10-25T15:30:22.619-0700 INFO Detected OS: alpine2021-10-25T15:30:22.620-0700 INFO Detecting Alpine vulnerabilities...2021-10-25T15:30:22.621-0700 INFO Number of language-specific files: 02021-10-25T15:30:22.621-0700 WARN This OS version is no longer supported by the distribution: alpine 3.10.22021-10-25T15:30:22.621-0700 WARN The vulnerability detection may be insufficient because security updates are not providedalpine:3.10.2 (alpine 3.10.2)=============================Total: 1 (CRITICAL: 1)+-----------+------------------+----------+-------------------+---------------+---------------------------------------+|  LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |+-----------+------------------+----------+-------------------+---------------+---------------------------------------+| apk-tools | CVE-2021-36159   | CRITICAL | 2.10.4-r2         | 2.10.7-r0     | libfetch before 2021-07-26, as        ||           |                  |          |                   |               | used in apk-tools, xbps, and          ||           |                  |          |                   |               | other products, mishandles...         ||           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-36159 |+-----------+------------------+----------+-------------------+---------------+---------------------------------------+> echo $?1
  • Similarly, you don’t want your pipeline to fail if the SEVERITY level is HIGH, and this can be done by mentioning the — exit-code 0.
trivy image --exit-code 0 --severity HIGH  alpine:3.10.2
  • Similarly there is GitHub action available for trivy

Client/Server

  • You can use trivy in client/server mode
  • To start the server
> trivy server --listen 0.0.0.0:100002021-10-25T16:12:09.033-0700 INFO Listening 0.0.0.0:10000...2021-10-25T16:12:40.457-0700 INFO Detected OS: centos2021-10-25T16:12:40.457-0700 INFO Detecting RHEL/CentOS vulnerabilities...2021-10-25T16:12:40.459-0700 INFO Number of language-specific files: 0
  • To start the client
> trivy client --remote http://localhost:10000 centoscentos (centos 8.4.2105)========================Total: 207 (UNKNOWN: 0, LOW: 88, MEDIUM: 107, HIGH: 9, CRITICAL: 3)

The advantage of this approach is that the server will cache the response, and all subsequent requests to the server are cached.

  • You can use trivy to scan the container image from inside the container. Login to the container
# Login to container
> docker run -it centos
Unable to find image 'centos:latest' locallylatest: Pulling from library/centos52f9ef134af7: Pull completeDigest: sha256:a27fd8080b517143cbbbab9dfb7c8571c40d67d534bbdee55bd6c473f432b177Status: Downloaded newer image for centos:latest
  • Install the trivy
[root@2785b513e49f /]# curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.20.2aquasecurity/trivy info checking GitHub for tag 'v0.20.2'aquasecurity/trivy info found version: 0.20.2 for v0.20.2/Linux/ARM64aquasecurity/trivy info installed /usr/local/bin/trivy
  • Scan the filesystem
[root@2785b513e49f /]# trivy fs /2021-10-25T23:27:27.060Z INFO Need to update DB2021-10-25T23:27:27.060Z INFO Downloading DB...24.45 MiB / 24.45 MiB [------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 6.33 MiB p/s 4s2021-10-25T23:27:31.895Z INFO Detected OS: centos2021-10-25T23:27:31.895Z INFO Detecting RHEL/CentOS vulnerabilities...2021-10-25T23:27:31.899Z INFO Number of language-specific files: 02785b513e49f (centos 8.4.2105)==============================Total: 207 (UNKNOWN: 0, LOW: 88, MEDIUM: 107, HIGH: 9, CRITICAL: 3)
  • You can also scan remote repository using the trivy repo command
> trivy repo https://github.com/aquasecurity/trivy-ci-testEnumerating objects: 24, done.Counting objects: 100% (24/24), done.Compressing objects: 100% (15/15), done.Total 24 (delta 4), reused 21 (delta 4), pack-reused 02021-10-25T16:44:07.418-0700 INFO Number of language-specific files: 22021-10-25T16:44:07.418-0700 INFO Detecting pipenv vulnerabilities...2021-10-25T16:44:07.428-0700 INFO Detecting cargo vulnerabilities...Cargo.lock (cargo)==================Total: 9 (UNKNOWN: 9, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
  • Trivy is now included with as the default scanner.
  • Trivy has a high accuracy of detecting vulnerability in the case of alpine Linux.
Reference:

Conclusion

Trivy is easy to install and use. You can now scan container images, filesystem, and remote repository to prevent any known security vulnerabilities. It’s easy to integrate with your CI-CD tools like Jenkins, Circle CI, and even GitHub action.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store