Security Scanning Container Images Using Trivy

Photo by Julius Silver: https://www.pexels.com/photo/white-water-boat-753331/

When it comes to security in containers, you want to have an overview of what is going on inside of a container.

We use Trivy as our main security scanning tool for our locally build container images before we upload them to our remote docker registry.

The problem with security scanners

Every container image, even the one’s that come from Docker Hub and are “Docker Official Image” verified, contains security issues.

Sometimes we only want to see security issues which can be patched at the time of scanning the container image. That is why we need to have good filtering functionality inside the tool to reduce the amount of “noise”.

Nginx container image report generated by Trivy

Generating security reports that have value

Deciding and choosing which filtering strategy is of value for the products/services that our teams offer is important, but it takes time. This is because different teams and services have different needs and requirements.

This is where Trivy comes into play. Trivy can scan the locally build container images in our CI/CD, with the needed filtering parameters, and generate a report (in our case in html). Afterwards we send this report to an external storage place (in our case: S3 Bucket) where we can further analyze this report when needed.

In our case: we ignore unpatched issues and only show HIGH/CRITICAL issues.

docker run -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy \
-d image --ignore-unfixed --severity HIGH,CRITICAL \
--format template --template "@contrib/html.tpl" -o /tmp/report.html nginx

Consul container image report with Trivy filtering

Fixing the security issues

For the distro package vulnerabilities, since we only filter on security issues that have fixed versions available, we only need to run the distro’s equivalent update packages command during the build of the image, in our case debian: apt update/apt upgrade.

Software dependency vulnerabilities are usually handled by the package manager in question.

Conclusion

Using Trivy, we can generate clean and valuable reports, which we then can send to teams to help them prioritize what issues to work on.