Day 2 — Trivy — Open Source Scanner for Container Images, FileSystem and Repositories

Reference: https://github.com/aquasecurity/trivy

If you want to check the previous day’s blog, please register using the below link https://www.101daysofdevops.com/courses/101-days-of-kubernetes/

The main idea behind Trivy is to scan container images, filesystem, and remote repository so that they don’t have any known security vulnerabilities. But before we dig deeper into Trivy, let’s start with some security basics.

What is Vulnerability?

As per Wikipedia, “In computer security, a vulnerability is a weakness which can be exploited by a threat actor, such as an attacker, to cross privilege boundaries (i.e. perform unauthorized actions) within a computer system.”

Some un-famous software vulnerabilities:

  • Meltdown
  • Dirty Cow
  • Heartbleed
  • Shellshock

You need to understand how this vulnerability will impact your system as if these vulnerabilities are present in your system. You need to deal with it immediately, as if you don’t do this, an attacker can exploit your system. The first place where you can check these vulnerabilities is CVE.

What is CVE?

CVE is short for Common Vulnerabilities and Exposures, and it’s the list of publicly disclosed computer security flaws with a unique identifier called CVE ID assigned to it.

Reference: https://cve.mitre.org/

You need a tool or scanner to identify these known vulnerabilities and whether your system is impacted due to it, and one such scanner is trivy.

Trivy Installation

Installing Trivy is straightforward, follow the instruction based on your distribution https://aquasecurity.github.io/trivy/v0.20.1/getting-started/installation/

How Trivy Works

The way trivy works is:

  • It identifies the package and version in the image.
  • It then cross-references with the vulnerability database and downloads it(Full database(Bolt DB)(default)or you can specify — light mode, it’s faster, but vulnerability descriptions and references are not displayed (default: false))
  • From specific Linux distributions, it downloads security advisory(RedHat, Debian, Ubuntu, etc.)
  • To scan an image using trivy, use the below command
  • As you can see, the below nginx image(nginx:alpine) has a total of 6 vulnerabilities with Severity of (Critical, Medium, and High).
  • If you only want to see vulnerability with Severity of type Critical
  • You can mention multiple severities on a single line using
  • If you want to scan a docker container using trivy you can do it by passing -i option.
  • You can use trivy to detect any misconfiguration in your configuration file. E.g., to detect misconfiguration in the below Pod definition file, pass the conf option to the trivy command
  • You can use trivy with your CI/CD system. E.g., in the below case, if there is any CRITICAL severity found in your image, then your pipeline should fail, and this can be done by mentioning the — exit-code 1
  • Similarly, you don’t want your pipeline to fail if the SEVERITY level is HIGH, and this can be done by mentioning the — exit-code 0.
  • Similarly there is GitHub action available for trivy

Client/Server

  • You can use trivy in client/server mode
  • To start the server
  • To start the client

The advantage of this approach is that the server will cache the response, and all subsequent requests to the server are cached.

  • You can use trivy to scan the container image from inside the container. Login to the container
  • Install the trivy
  • Scan the filesystem
  • You can also scan remote repository using the trivy repo command
  • Trivy is now included with Harbor as the default scanner.
  • Trivy has a high accuracy of detecting vulnerability in the case of alpine Linux.

Conclusion

Trivy is easy to install and use. You can now scan container images, filesystem, and remote repository to prevent any known security vulnerabilities. It’s easy to integrate with your CI-CD tools like Jenkins, Circle CI, and even GitHub action.

AWS Community Builder, Ex-Redhat, Author, Blogger, YouTuber, RHCA, RHCDS, RHCE, Docker Certified,4XAWS, CCNA, MCP, Certified Jenkins, Terraform Certified, 1XGCP