SAST — Security Scan with AquaSec Trivy

3 min readJun 23, 2023

Trivy, developed by AquaSec, is a powerful and comprehensive open-source vulnerability scanner designed specifically for containers and containerized applications. With the increasing popularity of containerization and the need for robust security measures, Trivy emerges as a vital tool in ensuring the integrity and resilience of containerized environments. Trivy’s standout feature lies in its ability to perform fast and accurate vulnerability assessments by leveraging an extensive and constantly updated vulnerability database. By thoroughly examining container images, Trivy can identify a wide range of security flaws, including outdated software versions, misconfigurations, and known vulnerabilities. Its seamless integration with popular container orchestration platforms, such as Kubernetes, further simplifies the vulnerability management process and facilitates proactive security practices. With its user-friendly interface and actionable reports, Trivy empowers developers, security teams, and DevOps professionals to proactively identify and mitigate potential risks, safeguarding containerized applications throughout their lifecycle.

Install Trivy

Installation can be done with Package Manager, Binary or used as conainer image

Installation — Trivy (aquasecurity.github.io)

How to use Trivy

In our tivy walkthrough we will run Trivy from docker image and will pass a couple of arguments to demonstrate its abilities.
Lets clone a known SonarQube plugin/utility that creates reports of projects.

git clone https://github.com/cnescatlab/sonar-cnes-report.git
cd sonar-cnes-report

As soon as clone is done lets scan the project and check the Trivy’s findings

Example 1: Run Trivy as container & Scan Local project

docker run \
-v $PWD:/myapp \
-v /var/run/docker.sock:/var/run/docker.sock \
aquasec/trivy filesystem /myapp \
--ignore-unfixed \
--no-progress

The Arguments we used are:

-v $PWD:/myapp : mount the current working directory that contain the application code to the /myapp path of the Trivy container path.
-- ignore-unfixed: ignore vulnerabilities without published fix.
-- no-progress: do not show persentage progress as screen gets messy.
-v /var/run/docker.sock:/var/run/docker.sock : mount the docker socket in order to use docker daemon from inside the container.
aquasec/trivy filesystem : Run the Tivy image with filesystem as scanning command. Tivy has multiple choices to scan such as

aws [EXPERIMENTAL] Scan AWS account
config Scan config files for misconfigurations
filesystem Scan local filesystem
image Scan a container image
kubernetes [EXPERIMENTAL] Scan kubernetes cluster
repository Scan a remote repository
rootfs Scan rootfs
sbom Scan SBOM for vulnerabilities
vm [EXPERIMENTAL] Scan a virtual machine image

Example 2: Run Trivy as binary & Scan Remote Repository

And in this example we will scan our favorite project:

trivy repository https://github.com/cnescatlab/sonar-cnes-report.git

Also in this example the output is the same as per previouse example. The main difference was that we scanned directly the repository and got the same output.