Containers Vulnerability Scanner: Trivy
This article talks about Trivy, which is a simple and comprehensive vulnerability scanner for containers and other artifacts, suitable for Continuous Integration and Testing.
Table of Contents
- Introduction
- Installation
- Scanning Git Repository
- Scanning Container Image
- Scanning Filesystem
- Scanning the running Containers
- Embed Trivy in Dockerfile
Introduction
Trivy is an open-source tool by aqua security to scan for vulnerabilities and misconfiguration errors. This tool works at various levels: it can evaluate Infrastructure as Code, inspect container images, deliver configuration file assistance, analyze Kubernetes implementations, and review the code in a Git repository. With the ease of usage, trivy can be simply be integrated in CI/CD pipeline (DevSecOps) by installing and adding binary to the project. Trivy offers complete visibility across programming language and operating system packages and has a wide database of vulnerabilities which allows quick scans of critical CVEs. With various new advancements in the tool, it has helped pen-testers and cybersecurity researchers to ensure continuous scans making the process of DevSecOps faster and more efficient.
Installation
The installation is quite simple. Follow the below-given commands to install Trivy from the official repository on your ubuntu machine.
1. sudo apt-get install wget apt-transport-https gnupg lsb-release
2. wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
3. echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee /etc/apt/sources.list.d/trivy.list
sudo apt-get updatesudo apt-get install trivy
Once the tool has been installed and updated, you are ready to scan files.
Scanning Git Repository
As I have described above, we can use trivy for scanning security loopholes among multiple platforms.
If you are using Git Repository and you can scan git file directly without downloading the entire package.
sudo trivy repo https://github.com/appsecco/dvna
Scanning Container Image
With the ever-growing threats to docker security, Trivy is one of the best tools available in the market for scanning Container Images.
You can easily run a quick scan on the docker images to report any vulnerabilities by following the below-given steps.
Step1: Check the Image ID of the Container image you want to scan.
sudo docker images
Step2: Use the below-given command to scan the container image.
sudo trivy image 4621d4fe2959
You can also scan the images for a particular severity of vulnerabilities and save the report in text format using the below-given command.
sudo trivy image --severity HIGH 4621d4fe2959 > result.txttail result.txt
Scanning Filesystem
Trivy can be used to scan a filesystem (such as a host machine, a virtual machine image, or an unpacked container image filesystem).
(Note: We are using vulnerable-node from Filesystem for this practical.)
Use the below-given command to scan any filesystem for vulnerabilities.
trivy conf services/
Scanning the running Containers
You can quickly scan the running container from inside. Follow the below-given steps to scan a docker file.
Step1: Run the docker file that you want to scan.
sudo docker run -it alpine
Step2: Add Trivy scanner to the file and run it.
apk add curl \&& curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin \ && trivy filesystem --exit-code 1 --no-progress /
Embed Trivy in Dockerfile
You can also scan the image as part of the build process by embedding Trivy in the Dockerfile. This approach can be used to update Dockerfiles currently using Aqua’s Micro scanner. Follow the below-given steps to scan the docker file while building it.
Step1: Add trivy to the docker file.
FROM alpine:3.7 RUN apk add curl \ && curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin \ && trivy filesystem --exit-code 1 --no-progress /
Step2 : Build the image.
sudo docker build -t vulnerable image .
It will scan the docker file while the image is being built and give the report as shown below.
Thanks for reading the article.
Author: Ayush khatkar is a cybersecurity researcher, technical writer and an enthusiastic pen-tester at Asecurity. Contact here.