Trivy is a container scanning application from AquaSec it is completely free, it looks pretty comprehensive and unlike some free scanners checks every layer individually. It is designed only for CLI use.
For further information see https://github.com/aquasecurity/trivy
How to
This snippet is designed for ADO YAML style pipelines but the scripts can just as easily be used in Old style ADO Pipelines or on Jenkins and AWS CodePipeline etc…
On your local machine (assuming a bash shell) run:
wget -qO trivy.key https://aquasecurity.github.io/trivy-repo/deb/public.key
sha256sum trivy.keyAfter verifying the Public key is correct and safe to trust, paste the sha256sum output in to the echo section of the first “CmdLine@2” task below (alternatively you could pass it in as a parameter).
Put these two tasks between your Image Build and Image Push tasks (you could make them one task):
- task: CmdLine@2
displayName: Install Trivy
inputs:
script: |
if [[ $(trivy -v >/dev/null;echo $?) -gt 0 ]]
then
echo “51ca5d1384095c462099add67e46b028e0df0ff741c0f95ad30f561c4fad1ad4 trivy.key” > trivy.key_sha256sum
wget -qO trivy.key https://aquasecurity.github.io/trivy-repo/deb/public.key
sha256sum -c trivy.key_sha256sum
sudo apt-key add trivy.key
echo “deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main” | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy -q -y -o Dpkg::Options::=” — force-confdef” -o Dpkg::Options::=” — force-confold”
else
echo “trivy already installed”
fi
- task: CmdLine@2
displayName: Scan Container Image
inputs:
script: |
trivy — severity CRITICAL,HIGH — ignore-unfixed — exit-code 1 — no-progress $(CONTAINER_REGISTRY)/$(IMAGE_REPOSITORY):$(CONTAINER_VERSION_TAG)