Security is evolving all the time and it is incredible. Before releasing an application into a production environment, very serious security considerations and agreements are required to help protect your assets. This is because there are many bad guys on the Internet who are waiting for you to have just deployed after a sleepless night. In order to contribute to the security of your containerized applications, today, we will embark on this security path. All these are hopes to inspire some hope and provide tools that can walk with you on this journey. Today, we introduce and express Trivy.
Trivy is a simple and comprehensive vulnerability scanner for containers and other artifacts. It helps to detect vulnerabilities in operating system packages (Alpine, RHEL, CentOS, etc.) and application dependencies (bundlers, Composer, npm, yarn, etc.). Before pushing to the container registry or deploying the application, you can easily scan the local container image and other artifacts, thus convincing you that everything is fine with the application without using more pressure configuration like other scanners.
Features of Trivy
The glory and sophistication of Trivy has the following features that you will enjoy:
- Detect comprehensive vulnerabilities
- Simplicity-specify only the image name or artifact name
- Fast-the first scan will be completed within 10 seconds (depending on your network).Subsequent scans will be completed in a few seconds
- DevSecOps-suitable for CI, such as Travis CI, CircleCI, Jenkins, GitLab CI, etc.
- Supports multiple formats-including: container image, local file system, remote git repository
- Easy to install-apt-get installation, yum installation and brew installation can be carried out without prerequisites such as database and library installation.
How to simplify container image scanner
Install Trivy on CentOS
If you want to install Trivy on a CentOS machine, you have two options here. You can use Trivy’s repository or you can install it directly from its RPM source. To install from the repository, add the following repository and proceed to install Trivy.
echo -e "n[trivy]nname=Trivy repositorynbaseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$releasever/$basearch/ngpgcheck=0nenabled=1" | sudo tee -a /etc/yum.repos.d/kubernetes.repo
After adding the Trivy repository, update the server and install the trivy package as follows:
sudo yum -y update sudo yum -y install trivy
To install trivy from its RPM source, you need to obtain Latest Trivy version Then run the following command:
$ rpm -ivh https://github.com/aquasecurity/trivy/releases/download/v0.12.0/trivy_0.12.0_Linux-64bit.rpm
Install Trivy on Debian | Ubuntu
Similar to installing Trivy on CentOS, you can also install it on Debian | Ubuntubox using two options here. You can use Trivy’s repository or you can install it directly from its DEB source. To install from the repository, add the following repository and proceed to install Trivy.
sudo apt-get install wget apt-transport-https gnupg lsb-release wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee /etc/apt/sources.list.d/trivy.list
After adding the Trivy repository, update the server and install the trivy package as follows:
sudo apt-get update sudo apt-get install trivy
Or, if you are a Deb source fan, you can install Trivy using its Trib source.To install trivy this way, you need to obtain Latest Trivy version Then run the following command:
sudo apt-get install rpm wget <deb-package-url> sudo apt install ./<deb-package>.deb
Install Trivy on Arch Linux | Manjaro
Well, for all Arch loyal fans, you can easily install Trivy on your computer using pikaur or yay AUR assistant, as shown below.
pikaur -Sy trivy-bin
Or you can use yay AUR assistant like this:
yay -Sy trivy-bin
Install Trivy on MacOS
For Mac users, you will not be left behind, you can install this cool tool on MacOS via Homebrew by running the following command
brew install aquasecurity/trivy/trivy
Trivia in Action – How to use Trivia
After installing Trivy, we are ready to go into business immediately. Trivy covers countless use cases, and we will cover some of them in this guide.
Scan file system
Trivy can scan file systems (such as host, virtual machine images, or uncompressed container image file systems). During the scanning process, it will find vulnerabilities based on locked files (such as Gemfile.lock and package-lock.json). The syntax is as follows:
$ trivy fs /home/vagrant 2020-11-09T10:35:41.656Z WARN OS is not detected and vulnerabilities in OS packages are not detected. 2020-11-09T10:35:41.656Z INFO Detecting ruby vulnerabilities... 2020-11-09T10:35:41.656Z INFO Detecting nodejs vulnerabilities... octant/site/Gemfile.lock ======================== Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) octant/web/package-lock.json ============================ Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
Scan your Git repository
Fortunately, you can scan remote git repositories with this simple but powerful tool. It should be noted that only public repositories are supported here. Use the repo switch to scan the Git repository as follows:
$ trivy repo https://github.com/aquasecurity/trivy 2020-11-09T07:13:25.265Z INFO Need to update DB 2020-11-09T07:13:25.265Z INFO Downloading DB... 19.13 MiB / 19.13 MiB [-----------------------------------------------------------] 100.00% 512.75 KiB p/s 38sEnumerating objects: 2338, done. Counting objects: 100% (2338/2338), done. Compressing objects: 100% (1260/1260), done. Total 2338 (delta 1229), reused 1943 (delta 933), pack-reused 0 2020-11-09T07:40:29.758Z WARN OS is not detected and vulnerabilities in OS packages are not detected.
After developing and integrating your application into an image (Docker, etc.), you can choose to identify any security issues that you may have overlooked. Just specify the image name and label and your trivy command as shown below.
List your pictures
$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE nginx latest c39a868aad02 3 days ago 133MB
$ trivy image nginx
You should see an exhaustive detailed report in the terminal output. The following is a summary.
Embed Trivy in Dockerfile
Another cool feature of this tool is that you can include it in a Dockerfile, and it will scan everything when building the image. We will use Nginx images for demonstration here, as shown below:
$ vim Dockerfile FROM alpine:3.7 RUN apk add curl && curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin && trivy filesystem --exit-code 1 --no-progress /
Then as you relax, build an image with output similar to the one shown below.
$ docker build -t scanned-image . Sending build context to Docker daemon 8.704 kB Step 1/2 : FROM alpine:3.7 Trying to pull repository docker.io/library/alpine ... 3.7: Pulling from docker.io/library/alpine 5d20c808ce19: Pull complete Digest: sha256:8421d9a84432575381bfabd248f1eb56f3aa21d9d7cd2511583c68c9b7511d10 Status: Downloaded newer image for docker.io/alpine:3.7 ---> 6d1ef012b567 Step 2/2 : RUN apk add curl && curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin && trivy filesystem --exit-code 1 --no-progress / ---> Running in 445558539f6f fetch http://dl-cdn.alpinelinux.org/alpine/v3.7/main/x86_64/APKINDEX.tar.gz fetch http://dl-cdn.alpinelinux.org/alpine/v3.7/community/x86_64/APKINDEX.tar.gz (1/4) Installing ca-certificates (20190108-r0) (2/4) Installing libssh2 (1.9.0-r1) (3/4) Installing libcurl (7.61.1-r3) (4/4) Installing curl (7.61.1-r3) Executing busybox-1.27.2-r11.trigger Executing ca-certificates-20190108-r0.trigger OK: 6 MiB in 17 packages aquasecurity/trivy info checking GitHub for latest tag aquasecurity/trivy info found version: 0.12.0 for v0.12.0/Linux/64bit aquasecurity/trivy info installed /usr/local/bin/trivy 2020-11-09T10:13:02.597Z INFO Need to update DB 2020-11-09T10:13:02.597Z INFO Downloading DB... 2020-11-09T10:13:27.545Z INFO Detecting Alpine vulnerabilities... 2020-11-09T10:13:27.547Z WARN This OS version is no longer supported by the distribution: alpine 3.7.3 2020-11-09T10:13:27.547Z WARN The vulnerability detection may be insufficient because security updates are not provided 445558539f6f (alpine 3.7.3) =========================== Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2) +------------+------------------+----------+-------------------+---------------+--------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +------------+------------------+----------+-------------------+---------------+--------------------------------+ | musl | CVE-2019-14697 | CRITICAL | 1.1.18-r3 | 1.1.18-r4 | musl libc through 1.1.23 | | | | | | | has an x87 floating-point | | | | | | | stack adjustment imbalance, | | | | | | | related... | +------------+ + + + + + | musl-utils | | | | | | | | | | | | | | | | | | | | | | | | | | | +------------+------------------+----------+-------------------+---------------+--------------------------------+
Filter vulnerabilities by severity
If you have special needs and need to filter the generated report so that you can see the HIGH, CRITICAL and other fields, then Trivy will help you immediately. Just run a command similar to the following:
$ trivy image --severity HIGH,CRITICAL nginx:latest
Scan items with locked files
If you have a Python project, it probably contains lock files. Therefore, you can scan such items in the following ways:
$ trivy fs ~/src/github.com/aquasecurity/trivy-ci-test
Scan the container from inside
To add more sugar to the sweetness we enjoy, it is worth mentioning that Trivy can scan the running container from the inside. It will never surprise people. This is a possible way, please note that you do not need to install Trivy on the host.
$ docker run --rm -it nginx && curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin && trivy fs /
We only peeled some of the leaves of the Trivy onion, and there is more room for you to grab and explore.For more information about this cool and safe companion, please check its GitHub official page You will leave there with a smile.
We are only surprised when we consider innovation and technology to continue to play a role in our lives. Although there may be more opportunities and opportunities for hackers to get involved, there are still warriors doing their best to enhance the capabilities of the disadvantaged. Trivy is such a hero tool, and we hope to give developers the greatest support. Otherwise, we are very happy that you have visited us and hope this guide is helpful to you. Thank you for your support and achieve the best results in a challenging year. You can read other guides and articles shared below:
Install security updates/patches on CentOS 8 only
Data security and online privacy: why gamers are ideal targets
Use Active Directory to authenticate Kubernetes dashboard users