Day 2 — Trivy — Open Source Scanner for Container Images, FileSystem and Repositories

Reference: https://github.com/aquasecurity/trivy
  • Meltdown
  • Dirty Cow
  • Heartbleed
  • Shellshock
sudo apt-get updatesudo apt-get install wget apt-transport-https gnupg lsb-releasewget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list sudo apt-get update sudo apt-get install trivy
# trivy --version
Version: 0.20.1
  • It identifies the package and version in the image.
  • It then cross-references with the vulnerability database and downloads it(Full database(Bolt DB)(default)or you can specify — light mode, it’s faster, but vulnerability descriptions and references are not displayed (default: false))
  • From specific Linux distributions, it downloads security advisory(RedHat, Debian, Ubuntu, etc.)
trivy image alpine:3.10.22021-10-25T07:14:51.154-0700 INFO Need to update DB2021-10-25T07:14:51.154-0700 INFO Downloading DB...24.43 MiB / 24.43 MiB [------------------------------------------------------------------------------------------------------] 100.00% 6.19 MiB p/s 4s2021-10-25T07:15:15.099-0700 INFO Detected OS: alpine2021-10-25T07:15:15.099-0700 INFO Detecting Alpine vulnerabilities...2021-10-25T07:15:15.102-0700 INFO Number of language-specific files: 02021-10-25T07:15:15.102-0700 WARN This OS version is no longer supported by the distribution: alpine 3.10.22021-10-25T07:15:15.102-0700 WARN The vulnerability detection may be insufficient because security updates are not providedalpine:3.10.2 (alpine 3.10.2)=============================Total: 28 (UNKNOWN: 0, LOW: 4, MEDIUM: 14, HIGH: 9, CRITICAL: 1)
  • To scan an image using trivy, use the below command
trivy image <image:name>
  • As you can see, the below nginx image(nginx:alpine) has a total of 6 vulnerabilities with Severity of (Critical, Medium, and High).
  • If you only want to see vulnerability with Severity of type Critical
  • You can mention multiple severities on a single line using
--severity CRITICAL,HIGH
  • If you want to scan a docker container using trivy you can do it by passing -i option.
  • You can use trivy to detect any misconfiguration in your configuration file. E.g., to detect misconfiguration in the below Pod definition file, pass the conf option to the trivy command
# cat configs/security-context.yaml 
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo
spec:
securityContext:
runAsUser: 0
runAsGroup: 3000
fsGroup: 2000
volumes:
- name: sec-ctx-vol
emptyDir: {}
containers:
- name: sec-ctx-demo
image: busybox
command: [ "sh", "-c", "sleep 1h" ]
volumeMounts:
- name: sec-ctx-vol
mountPath: /data/demo
securityContext:
allowPrivilegeEscalation: false
  • You can use trivy with your CI/CD system. E.g., in the below case, if there is any CRITICAL severity found in your image, then your pipeline should fail, and this can be done by mentioning the — exit-code 1
trivy image --exit-code 1 --severity critical <image name>> trivy image --exit-code 1 --severity CRITICAL alpine:3.10.22021-10-25T15:30:22.619-0700 INFO Detected OS: alpine2021-10-25T15:30:22.620-0700 INFO Detecting Alpine vulnerabilities...2021-10-25T15:30:22.621-0700 INFO Number of language-specific files: 02021-10-25T15:30:22.621-0700 WARN This OS version is no longer supported by the distribution: alpine 3.10.22021-10-25T15:30:22.621-0700 WARN The vulnerability detection may be insufficient because security updates are not providedalpine:3.10.2 (alpine 3.10.2)=============================Total: 1 (CRITICAL: 1)+-----------+------------------+----------+-------------------+---------------+---------------------------------------+|  LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |+-----------+------------------+----------+-------------------+---------------+---------------------------------------+| apk-tools | CVE-2021-36159   | CRITICAL | 2.10.4-r2         | 2.10.7-r0     | libfetch before 2021-07-26, as        ||           |                  |          |                   |               | used in apk-tools, xbps, and          ||           |                  |          |                   |               | other products, mishandles...         ||           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-36159 |+-----------+------------------+----------+-------------------+---------------+---------------------------------------+> echo $?1
  • Similarly, you don’t want your pipeline to fail if the SEVERITY level is HIGH, and this can be done by mentioning the — exit-code 0.
trivy image --exit-code 0 --severity HIGH  alpine:3.10.2
  • Similarly there is GitHub action available for trivy
  • You can use trivy in client/server mode
  • To start the server
> trivy server --listen 0.0.0.0:100002021-10-25T16:12:09.033-0700 INFO Listening 0.0.0.0:10000...2021-10-25T16:12:40.457-0700 INFO Detected OS: centos2021-10-25T16:12:40.457-0700 INFO Detecting RHEL/CentOS vulnerabilities...2021-10-25T16:12:40.459-0700 INFO Number of language-specific files: 0
  • To start the client
> trivy client --remote http://localhost:10000 centoscentos (centos 8.4.2105)========================Total: 207 (UNKNOWN: 0, LOW: 88, MEDIUM: 107, HIGH: 9, CRITICAL: 3)
  • You can use trivy to scan the container image from inside the container. Login to the container
# Login to container
> docker run -it centos
Unable to find image 'centos:latest' locallylatest: Pulling from library/centos52f9ef134af7: Pull completeDigest: sha256:a27fd8080b517143cbbbab9dfb7c8571c40d67d534bbdee55bd6c473f432b177Status: Downloaded newer image for centos:latest
  • Install the trivy
[root@2785b513e49f /]# curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.20.2aquasecurity/trivy info checking GitHub for tag 'v0.20.2'aquasecurity/trivy info found version: 0.20.2 for v0.20.2/Linux/ARM64aquasecurity/trivy info installed /usr/local/bin/trivy
  • Scan the filesystem
[root@2785b513e49f /]# trivy fs /2021-10-25T23:27:27.060Z INFO Need to update DB2021-10-25T23:27:27.060Z INFO Downloading DB...24.45 MiB / 24.45 MiB [------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 6.33 MiB p/s 4s2021-10-25T23:27:31.895Z INFO Detected OS: centos2021-10-25T23:27:31.895Z INFO Detecting RHEL/CentOS vulnerabilities...2021-10-25T23:27:31.899Z INFO Number of language-specific files: 02785b513e49f (centos 8.4.2105)==============================Total: 207 (UNKNOWN: 0, LOW: 88, MEDIUM: 107, HIGH: 9, CRITICAL: 3)
  • You can also scan remote repository using the trivy repo command
> trivy repo https://github.com/aquasecurity/trivy-ci-testEnumerating objects: 24, done.Counting objects: 100% (24/24), done.Compressing objects: 100% (15/15), done.Total 24 (delta 4), reused 21 (delta 4), pack-reused 02021-10-25T16:44:07.418-0700 INFO Number of language-specific files: 22021-10-25T16:44:07.418-0700 INFO Detecting pipenv vulnerabilities...2021-10-25T16:44:07.428-0700 INFO Detecting cargo vulnerabilities...Cargo.lock (cargo)==================Total: 9 (UNKNOWN: 9, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
  • Trivy is now included with Harbor as the default scanner.
  • Trivy has a high accuracy of detecting vulnerability in the case of alpine Linux.
Reference: https://medium.com/@knqyf263/a-simple-and-comprehensive-vulnerability-scanner-for-containers-compatible-with-ci-b3c0982d4fb6

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Prashant Lakhera

Prashant Lakhera

AWS Community Builder, Ex-Redhat, Author, Blogger, YouTuber, RHCA, RHCDS, RHCE, Docker Certified,4XAWS, CCNA, MCP, Certified Jenkins, Terraform Certified, 1XGCP