Use Trivy to scan Docker container images for vulnerabilities

You can download this article in PDF format via the link below to support us.
Download the guide in PDF formatturn off

Security is evolving all the time and it is incredible. Before releasing an application into a production environment, very serious security considerations and agreements are required to help protect your assets. This is because there are many bad guys on the Internet who are waiting for you to have just deployed after a sleepless night. In order to contribute to the security of your containerized applications, today, we will embark on this security path. All these are hopes to inspire some hope and provide tools that can walk with you on this journey. Today, we introduce and express Trivy.

Trivy is a simple and comprehensive vulnerability scanner for containers and other artifacts. It helps to detect vulnerabilities in operating system packages (Alpine, RHEL, CentOS, etc.) and application dependencies (bundlers, Composer, npm, yarn, etc.). Before pushing to the container registry or deploying the application, you can easily scan the local container image and other artifacts, thus convincing you that everything is fine with the application without using more pressure configuration like other scanners.

Features of Trivy

The glory and sophistication of Trivy has the following features that you will enjoy:

  • Detect comprehensive vulnerabilities
  • Simplicity-specify only the image name or artifact name
  • Fast-the first scan will be completed within 10 seconds (depending on your network).Subsequent scans will be completed in a few seconds
  • DevSecOps-suitable for CI, such as Travis CI, CircleCI, Jenkins, GitLab CI, etc.
  • Supports multiple formats-including: container image, local file system, remote git repository
  • Easy to install-apt-get installation, yum installation and brew installation can be carried out without prerequisites such as database and library installation.

How to simplify container image scanner

Trivy can be installed on many Linux distributions and MacOS. We will introduce the installation of Trivy on CentOS, Ubuntu, Debian, Arch and MacOS. Let the show begin.

Install Trivy on CentOS

If you want to install Trivy on a CentOS machine, you have two options here. You can use Trivy’s repository or you can install it directly from its RPM source. To install from the repository, add the following repository and proceed to install Trivy.

echo -e "n[trivy]nname=Trivy repositorynbaseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$releasever/$basearch/ngpgcheck=0nenabled=1" | sudo tee -a /etc/yum.repos.d/kubernetes.repo

After adding the Trivy repository, update the server and install the trivy package as follows:

sudo yum -y update
sudo yum -y install trivy

To install trivy from its RPM source, you need to obtain Latest Trivy version Then run the following command:

$ rpm -ivh https://github.com/aquasecurity/trivy/releases/download/v0.12.0/trivy_0.12.0_Linux-64bit.rpm

Install Trivy on Debian | Ubuntu

Similar to installing Trivy on CentOS, you can also install it on Debian | Ubuntubox using two options here. You can use Trivy’s repository or you can install it directly from its DEB source. To install from the repository, add the following repository and proceed to install Trivy.

sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee /etc/apt/sources.list.d/trivy.list

After adding the Trivy repository, update the server and install the trivy package as follows:

sudo apt-get update
sudo apt-get install trivy

Or, if you are a Deb source fan, you can install Trivy using its Trib source.To install trivy this way, you need to obtain Latest Trivy version Then run the following command:

sudo apt-get install rpm
wget <deb-package-url>
sudo apt install ./<deb-package>.deb

Install Trivy on Arch Linux | Manjaro

Well, for all Arch loyal fans, you can easily install Trivy on your computer using pikaur or yay AUR assistant, as shown below.

pikaur -Sy trivy-bin

Or you can use yay AUR assistant like this:

yay  -Sy trivy-bin

Install Trivy on MacOS

For Mac users, you will not be left behind, you can install this cool tool on MacOS via Homebrew by running the following command

brew install aquasecurity/trivy/trivy

Trivia in Action – How to use Trivia

After installing Trivy, we are ready to go into business immediately. Trivy covers countless use cases, and we will cover some of them in this guide.

Scan file system

Trivy can scan file systems (such as host, virtual machine images, or uncompressed container image file systems). During the scanning process, it will find vulnerabilities based on locked files (such as Gemfile.lock and package-lock.json). The syntax is as follows:

$ trivy fs /home/vagrant

2020-11-09T10:35:41.656Z        WARN    OS is not detected and vulnerabilities in OS packages are not detected.
2020-11-09T10:35:41.656Z        INFO    Detecting ruby vulnerabilities...
2020-11-09T10:35:41.656Z        INFO    Detecting nodejs vulnerabilities...

octant/site/Gemfile.lock
========================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


octant/web/package-lock.json
============================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Scan your Git repository

Fortunately, you can scan remote git repositories with this simple but powerful tool. It should be noted that only public repositories are supported here. Use the repo switch to scan the Git repository as follows:

$ trivy repo https://github.com/aquasecurity/trivy

2020-11-09T07:13:25.265Z        INFO    Need to update DB
2020-11-09T07:13:25.265Z        INFO    Downloading DB...
19.13 MiB / 19.13 MiB [-----------------------------------------------------------] 100.00% 512.75 KiB p/s 38sEnumerating objects: 2338, done.
Counting objects: 100% (2338/2338), done.
Compressing objects: 100% (1260/1260), done.


Total 2338 (delta 1229), reused 1943 (delta 933), pack-reused 0
2020-11-09T07:40:29.758Z        WARN    OS is not detected and vulnerabilities in OS packages are not detected.

Scan image

After developing and integrating your application into an image (Docker, etc.), you can choose to identify any security issues that you may have overlooked. Just specify the image name and label and your trivy command as shown below.

List your pictures

$ docker images

REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
nginx               latest              c39a868aad02        3 days ago          133MB
$ trivy image nginx

You should see an exhaustive detailed report in the terminal output. The following is a summary.

Embed Trivy in Dockerfile

Another cool feature of this tool is that you can include it in a Dockerfile, and it will scan everything when building the image. We will use Nginx images for demonstration here, as shown below:

$ vim Dockerfile
FROM alpine:3.7

RUN apk add curl 
    && curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin 
    && trivy filesystem --exit-code 1 --no-progress /

Then as you relax, build an image with output similar to the one shown below.

$ docker build -t scanned-image .

Sending build context to Docker daemon 8.704 kB
Step 1/2 : FROM alpine:3.7
Trying to pull repository docker.io/library/alpine ...
3.7: Pulling from docker.io/library/alpine
5d20c808ce19: Pull complete
Digest: sha256:8421d9a84432575381bfabd248f1eb56f3aa21d9d7cd2511583c68c9b7511d10
Status: Downloaded newer image for docker.io/alpine:3.7
 ---> 6d1ef012b567
Step 2/2 : RUN apk add curl     && curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s 
-- -b /usr/local/bin     && trivy filesystem --exit-code 1 --no-progress /
 ---> Running in 445558539f6f

fetch http://dl-cdn.alpinelinux.org/alpine/v3.7/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.7/community/x86_64/APKINDEX.tar.gz
(1/4) Installing ca-certificates (20190108-r0)
(2/4) Installing libssh2 (1.9.0-r1)
(3/4) Installing libcurl (7.61.1-r3)
(4/4) Installing curl (7.61.1-r3)
Executing busybox-1.27.2-r11.trigger
Executing ca-certificates-20190108-r0.trigger
OK: 6 MiB in 17 packages
aquasecurity/trivy info checking GitHub for latest tag
aquasecurity/trivy info found version: 0.12.0 for v0.12.0/Linux/64bit
aquasecurity/trivy info installed /usr/local/bin/trivy
2020-11-09T10:13:02.597Z        INFO    Need to update DB
2020-11-09T10:13:02.597Z        INFO    Downloading DB...
2020-11-09T10:13:27.545Z        INFO    Detecting Alpine vulnerabilities...
2020-11-09T10:13:27.547Z        WARN    This OS version is no longer supported by the distribution: alpine 3.7.3
2020-11-09T10:13:27.547Z        WARN    The vulnerability detection may be insufficient because security updates are not provided   

445558539f6f (alpine 3.7.3)
===========================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)

+------------+------------------+----------+-------------------+---------------+--------------------------------+
|  LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
+------------+------------------+----------+-------------------+---------------+--------------------------------+
| musl       | CVE-2019-14697   | CRITICAL | 1.1.18-r3         | 1.1.18-r4     | musl libc through 1.1.23       |
|            |                  |          |                   |               | has an x87 floating-point      |
|            |                  |          |                   |               | stack adjustment imbalance,    |
|            |                  |          |                   |               | related...                     |
+------------+                  +          +                   +               +                                +
| musl-utils |                  |          |                   |               |                                |
|            |                  |          |                   |               |                                |
|            |                  |          |                   |               |                                |
|            |                  |          |                   |               |                                |
+------------+------------------+----------+-------------------+---------------+--------------------------------+

Use Trivy to scan Docker container images for vulnerabilities

Filter vulnerabilities by severity

If you have special needs and need to filter the generated report so that you can see the HIGH, CRITICAL and other fields, then Trivy will help you immediately. Just run a command similar to the following:

$ trivy image --severity HIGH,CRITICAL nginx:latest

Use Trivy to scan Docker container images for vulnerabilities

Scan items with locked files

If you have a Python project, it probably contains lock files. Therefore, you can scan such items in the following ways:

$ trivy fs ~/src/github.com/aquasecurity/trivy-ci-test

Scan the container from inside

To add more sugar to the sweetness we enjoy, it is worth mentioning that Trivy can scan the running container from the inside. It will never surprise people. This is a possible way, please note that you do not need to install Trivy on the host.

$ docker run --rm -it nginx 
   && curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin 
   && trivy fs /

We only peeled some of the leaves of the Trivy onion, and there is more room for you to grab and explore.For more information about this cool and safe companion, please check its GitHub official page You will leave there with a smile.

Concluding thoughts

We are only surprised when we consider innovation and technology to continue to play a role in our lives. Although there may be more opportunities and opportunities for hackers to get involved, there are still warriors doing their best to enhance the capabilities of the disadvantaged. Trivy is such a hero tool, and we hope to give developers the greatest support. Otherwise, we are very happy that you have visited us and hope this guide is helpful to you. Thank you for your support and achieve the best results in a challenging year. You can read other guides and articles shared below:

Install security updates/patches on CentOS 8 only

Data security and online privacy: why gamers are ideal targets

Use Active Directory to authenticate Kubernetes dashboard users

You can download this article in PDF format via the link below to support us.
Download the guide in PDF formatturn off

Sidebar