Day 2 — Trivy — Open Source Scanner for Container Images, FileSystem and Repositories

Reference: https://github.com/aquasecurity/trivy

If you want to check the previous day’s blog, please register using the below link https://www.101daysofdevops.com/courses/101-days-of-kubernetes/

The main idea behind Trivy is to scan container images, filesystem, and remote repository so that they don’t have any known security vulnerabilities. But before we dig deeper into Trivy, let’s start with some security basics.

What is Vulnerability?

As per Wikipedia, “In computer security, a vulnerability is a weakness which can be exploited by a threat actor, such as an attacker, to cross privilege boundaries (i.e. perform unauthorized actions) within a computer system.”

Some un-famous software vulnerabilities:

  • Meltdown
  • Dirty Cow
  • Heartbleed
  • Shellshock

You need to understand how this vulnerability will impact your system as if these vulnerabilities are present in your system. You need to deal with it immediately, as if you don’t do this, an attacker can exploit your system. The first place where you can check these vulnerabilities is CVE.

What is CVE?

CVE is short for Common Vulnerabilities and Exposures, and it’s the list of publicly disclosed computer security flaws with a unique identifier called CVE ID assigned to it.

Reference: https://cve.mitre.org/

You need a tool or scanner to identify these known vulnerabilities and whether your system is impacted due to it, and one such scanner is trivy.

Trivy Installation

Installing Trivy is straightforward, follow the instruction based on your distribution https://aquasecurity.github.io/trivy/v0.20.1/getting-started/installation/

sudo apt-get update
# trivy --version
Version: 0.20.1

How Trivy Works

The way trivy works is:

  • It identifies the package and version in the image.
  • It then cross-references with the vulnerability database and downloads it(Full database(Bolt DB)(default)or you can specify — light mode, it’s faster, but vulnerability descriptions and references are not displayed (default: false))
  • From specific Linux distributions, it downloads security advisory(RedHat, Debian, Ubuntu, etc.)
trivy image alpine:3.10.2
  • To scan an image using trivy, use the below command
trivy image <image:name>
  • As you can see, the below nginx image(nginx:alpine) has a total of 6 vulnerabilities with Severity of (Critical, Medium, and High).
  • If you only want to see vulnerability with Severity of type Critical
  • You can mention multiple severities on a single line using
--severity CRITICAL,HIGH
  • If you want to scan a docker container using trivy you can do it by passing -i option.
  • You can use trivy to detect any misconfiguration in your configuration file. E.g., to detect misconfiguration in the below Pod definition file, pass the conf option to the trivy command
# cat configs/security-context.yaml 
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo
spec:
securityContext:
runAsUser: 0
runAsGroup: 3000
fsGroup: 2000
volumes:
- name: sec-ctx-vol
emptyDir: {}
containers:
- name: sec-ctx-demo
image: busybox
command: [ "sh", "-c", "sleep 1h" ]
volumeMounts:
- name: sec-ctx-vol
mountPath: /data/demo
securityContext:
allowPrivilegeEscalation: false
  • You can use trivy with your CI/CD system. E.g., in the below case, if there is any CRITICAL severity found in your image, then your pipeline should fail, and this can be done by mentioning the — exit-code 1
trivy image --exit-code 1 --severity critical <image name>
  • Similarly, you don’t want your pipeline to fail if the SEVERITY level is HIGH, and this can be done by mentioning the — exit-code 0.
trivy image --exit-code 0 --severity HIGH  alpine:3.10.2
  • Similarly there is GitHub action available for trivy

Client/Server

  • You can use trivy in client/server mode
  • To start the server
> trivy server --listen 0.0.0.0:10000
  • To start the client
> trivy client --remote http://localhost:10000 centos

The advantage of this approach is that the server will cache the response, and all subsequent requests to the server are cached.

  • You can use trivy to scan the container image from inside the container. Login to the container
# Login to container
> docker run -it centos
  • Install the trivy
[root@2785b513e49f /]# curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.20.2
  • Scan the filesystem
[root@2785b513e49f /]# trivy fs /
  • You can also scan remote repository using the trivy repo command
> trivy repo https://github.com/aquasecurity/trivy-ci-test
  • Trivy is now included with Harbor as the default scanner.
  • Trivy has a high accuracy of detecting vulnerability in the case of alpine Linux.
Reference: https://medium.com/@knqyf263/a-simple-and-comprehensive-vulnerability-scanner-for-containers-compatible-with-ci-b3c0982d4fb6

Conclusion

Trivy is easy to install and use. You can now scan container images, filesystem, and remote repository to prevent any known security vulnerabilities. It’s easy to integrate with your CI-CD tools like Jenkins, Circle CI, and even GitHub action.