SAST — Security Scan with AquaSec Trivy
Trivy, developed by AquaSec, is a powerful and comprehensive open-source vulnerability scanner designed specifically for containers and containerized applications. With the increasing popularity of containerization and the need for robust security measures, Trivy emerges as a vital tool in ensuring the integrity and resilience of containerized environments. Trivy’s standout feature lies in its ability to perform fast and accurate vulnerability assessments by leveraging an extensive and constantly updated vulnerability database. By thoroughly examining container images, Trivy can identify a wide range of security flaws, including outdated software versions, misconfigurations, and known vulnerabilities. Its seamless integration with popular container orchestration platforms, such as Kubernetes, further simplifies the vulnerability management process and facilitates proactive security practices. With its user-friendly interface and actionable reports, Trivy empowers developers, security teams, and DevOps professionals to proactively identify and mitigate potential risks, safeguarding containerized applications throughout their lifecycle.
Install Trivy
Installation can be done with Package Manager, Binary or used as conainer image
Installation — Trivy (aquasecurity.github.io)
How to use Trivy
In our tivy walkthrough we will run Trivy from docker image and will pass a couple of arguments to demonstrate its abilities.
Lets clone a known SonarQube plugin/utility that creates reports of projects.
git clone https://github.com/cnescatlab/sonar-cnes-report.git
cd sonar-cnes-report
As soon as clone is done lets scan the project and check the Trivy’s findings
Example 1: Run Trivy as container & Scan Local project
docker run \
-v $PWD:/myapp \
-v /var/run/docker.sock:/var/run/docker.sock \
aquasec/trivy filesystem /myapp \
--ignore-unfixed \
--no-progress
The Arguments we used are:
- -v $PWD:/myapp : mount the current working directory that contain the application code to the /myapp path of the Trivy container path.
- -- ignore-unfixed: ignore vulnerabilities without published fix.
- -- no-progress: do not show persentage progress as screen gets messy.
- -v /var/run/docker.sock:/var/run/docker.sock : mount the docker socket in order to use docker daemon from inside the container.
- aquasec/trivy filesystem : Run the Tivy image with filesystem as scanning command. Tivy has multiple choices to scan such as
aws [EXPERIMENTAL] Scan AWS account
config Scan config files for misconfigurations
filesystem Scan local filesystem
image Scan a container image
kubernetes [EXPERIMENTAL] Scan kubernetes cluster
repository Scan a remote repository
rootfs Scan rootfs
sbom Scan SBOM for vulnerabilities
vm [EXPERIMENTAL] Scan a virtual machine image
Example 2: Run Trivy as binary & Scan Remote Repository
And in this example we will scan our favorite project:
trivy repository https://github.com/cnescatlab/sonar-cnes-report.git
Also in this example the output is the same as per previouse example. The main difference was that we scanned directly the repository and got the same output.
Example 3: Scan k8s for summary report
trivy k8s --report summary cluster
This will produce us a summary report for the current Kubernetes context.
Note:
If we change the --report summary to --report all we will produce a detailed report