Secure Container Images with Trivy
Vulnerability Scanner
Trivy (tri pronounced like the trigger, vy pronounced like envy) is a simple open-source tool that is maintained by aqua security. This tool is used for comprehensive vulnerability scanning for containers and other artifact.
Outline
From this article, we are going to cover the following.
- Introduction to Trivy
- Capabilities of Trivy Vulnerability Scanner
- How to scan different artifacts
- A use case of using Trivy Vulnerability Scanner
- Conclusion
Introduction to Trivy
Trivy is an open-source vulnerability scanner used for scanning container images, file systems, and git repositories.
Trivy detects software vulnerabilities of the software installed in the operating system. It also detects any vulnerabilities associated with OS packages such as those used in Alpine, RHEL, CentOS, etc., and application dependencies such as Composer, npm, yarn, etc.
Following is a high-level overview of how Trivy vulnerability scanner works.
Capabilities of Trivy Vulnerability Scanner
Following are few features available with a vulnerability scanner,
1. Detect comprehensive vulnerabilities
This includes vulnerabilities in the OS, OS packagers (Alpine, REHL, CentOS, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux)
Application dependencies vulnerabilities (npm, yarn etc.)
2. Integrate with DevSecOps
Can integrate with the CI process of the pipeline to identify vulnerabilities within the code or container images.
Can integrate with Travis CI, CircleCI, GitLab CI, GitHub Actions, etc.
3. Simple executable to be run
After installation, specify the container image name or artifact to be scan.
4. Fast scan time
The initial scan will take 10 sec depending on the network speed, but the consequent scan will take seconds to finish.
5. Easy installation to multiple OS platforms
Currently, we can install Trivy by using apt-get install, yum install and brew for MacOS.
6. Support multiple formats of resources
- Local container images running in Docker Engine.
- Local Container images running in Podman (>=2.0)
- Remort container registry such as Docker Hub, ACR, ECR, GCR.
- A tar archive format Docker images
- Local filesystems (Linux, MacOS)
- remote git repositories
How to scan different artifacts
- Docker Images
First, we will take a look at scanning the Docker image. To scan Docker images first, we need to run Docker daemon on your local workstation. Then we can use Trivy binary to scan the appropriate image. Following is a sample snippet for the command.
trivy rabbitmq:management-alpine
2. Remote Private Container Registry
It’s possible for us to scan private container images as well. First, we need to authenticate to the private container registry then we can specify the image we need to scan. When scanning starts it goes through a database and identifies the vulnerabilities and shows us as below.
trivy cloudlifeacr.azurecr.io/myhealth.web:latest
3. Remote Git Repository
Trivy has the capability of scanning git repositories for identifying vulnerabilities. These help developers and DevSecOps engineers to identify the security loopholes in application code.
A use case of using Trivy Vulnerability Scanner
We can use Trivy with our CI/CD pipeline. Currently, we have workflows for GitHub Actions, GitLab, Circle CI, Travis CI, AWS Code Pipeline. In this use case, I’ll show how to use GitHub Actions for scanning images.
- GitHub Action for Container Image Scan
Following GitHub Action workflow can use for image scanning.
Conclusion
Finally, we can come to a conclusion that Trivy has great capabilities to secure our docker images and git repository by identifying vulnerabilities. With the capability of integrating with the CI/CD pipeline in the build stage, we can identify those Vulnerabilities and avoided applying them to the production environment.
