Docker images play the biggest role in spinning containers. This serves as the perfect way to deploy an application. This can be really flawless depending on the strategy used to build your container image. Container images with vulnerabilities can cause a security threat to the application. Usually, a docker image is built from a Dockerfile with at least one layer of a base image then other layers pilled as captioned in the Dockerfile. Once build, from the Dockerfile, it then becomes entrenched.
A vulnerability can be defined as a point of weakness that can be exploited and cause security threats. To be able to scan these vulnerabilities, we can use Trivy. This is a simple and comprehensive tool that can be used to scan for vulnerabilities in file systems, git repositories, container images as well as misconfigurations. This open-source tool was developed by Aqua Security in 2019. It detects vulnerabilities of Alpine, RHEL, CentOS, etc packages as well as language-specific bundlers such as Bundler, Composer, npm, yarn, etc. Moreso, it can be used to scan Infrastructure as Code (IaC) files example on Kubernetes and Terraform and detect configuration issues. You can also use Trivy to scan hardcoded secrets such as passwords, API keys, and tokens.
The amazing features brought by Trivy are:
- Simple: using Trivy only involves specifying an image name, a directory containing IaC configs, or an artifact name
- Easy installation: It can be installed easily from apt, yum, brew, or docker hub. Also, no prerequisites such as database, system libraries e.t.c are required.
- High accuracy: It offers high accuracy, especially on Alpine Linux and RHEL/CentOS, other OSes are also high.
- Support multiple targets: it can be used to scan container images, local filesystem, and remote git repository
- Fast: Its first scan takes less than 10 seconds depending on your internet speed. Then the other scans finish in a single second.
- Detect IaC misconfigurations: It has a wide variety of built-in policies that can be used to detect misconfigurations on Kubernetes, Terraform, Docker e.t.c
In this guide, we will learn how to scan for Docker Image and Git vulnerabilities using Trivy.
Install Trivy on Your System
Trivy can be installed on different platforms. This involves adding the Trivy repositories to the system and then installing it via the package manager.
1. Install Trivy on RHEL/CentOS / Rocky
Add the repository using the command:
RELEASE_VERSION=$(grep -Po '(?<=VERSION_ID=")[0-9]' /etc/os-release)
cat << EOF | sudo tee -a /etc/yum.repos.d/trivy.repo
[trivy]
name=Trivy repository
baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$RELEASE_VERSION/\$basearch/
gpgcheck=0
enabled=1
EOF
Once added, install Trivy using the command:
sudo yum -y install trivy
Alternatively, you can install Trivy using an RPM package obtained from the Github Release page
sudo yum -y install wget curl
VER=$(curl -s https://api.github.com/repos/aquasecurity/trivy/releases/latest|grep tag_name|cut -d '"' -f 4|sed 's/v//')
wget https://github.com/aquasecurity/trivy/releases/download/v${VER}/trivy_${VER}_Linux-64bit.rpm
sudo rpm -Uvh ./trivy_${VER}_Linux-64bit.rpm
2. Install Trivy on Debian/Ubuntu
The Trivy repository can be added to Debian/Ubuntu systems using the commands:
sudo apt install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee /etc/apt/sources.list.d/trivy.list
Now update the APT package index and install Trivy:
sudo apt update
sudo apt install trivy
You can also use a DEB package obtained from the Github Release page.
VER=$(curl -s https://api.github.com/repos/aquasecurity/trivy/releases/latest|grep tag_name|cut -d '"' -f 4|sed 's/v//')
wget https://github.com/aquasecurity/trivy/releases/download/v${VER}/trivy_${VER}_Linux-64bit.deb
sudo dpkg -i trivy_${VER}_Linux-64bit.deb
3. Install Trivy on Arch Linux
Trivy can be installed on Arch Linux from the Arch User Repository as shown:
- yay
yay -Sy trivy-bin
- pikaur
pikaur -Sy trivy-bin
4. Homebrew
Homebrew provided Trivy packages for installation on both macOS and Linux systems. You can use the command below to install Trivy from Homebrew:
brew install aquasecurity/trivy/trivy
Scanning For Vulnerabilities using Trivy
Once Trivy has been installed, it can be used to perform vulnerability scanning on:
- Container Images
- Filesystem
- Git Repositories
The below steps can be used to perform any of the mentioned scans.
A. Scanning Container Images Vulnerabilities using Trivy
Trivy Can be used to scan container images using a simple command bearing the below syntax.
trivy image [YOUR_IMAGE_NAME]
For example:
trivy image python:3.4-alpine
Sample Output:
You can also use TAR files for example:
docker pull ruby:3.1-alpine3.15
docker save ruby:3.1-alpine3.15 -o ruby-3.1.tar
trivy image --input ruby-3.1.tar
Sample Output:
B. Scanning Filesystem Vulnerabilities using Trivy
The command used for this has the syntax:
$ trivy fs /path/to/project
For example, scanning a local project with language-specific files:
git clone https://github.com/aquasecurity/trivy-ci-test.git
trivy fs trivy-ci-test
Sample Output:
You can also scan a single file in the project, say Pipfile.lock using the command:
trivy fs trivy-ci-test/Pipfile.lock
Scanning for Git Repository Vulnerabilities using Trivy
To scan vulnerabilities on a Git Repository, the command with the below syntax is used:
$ trivy repo https://github.com/knqyf263/trivy-ci-test
Replace https://github.com/knqyf263/trivy-ci-test with the Git repo name.
Execution output:
To be able to scan a private Git repo, you need to specify your GITHUB_TOKEN or GITLAB_TOKEN environment variables. This token must be valid to be able to access and scan the repository:
For example:
##For GITHUB##
export GITHUB_TOKEN="your_private_github_token"
trivy repo <your private GitHub repo URL>
##For GITLAB##
export GITLAB_TOKEN="your_private_gitlab_token"
trivy repo <your private GitLab repo URL>
Once exported, you will realize that the command to scan the repo is similar to the one above.
Misconfiguration Scanning with Trivy
Aside from scanning vulnerabilities, you can use Trivy to scan misconfigurations in Docker, Kubernetes, Terraform, and CloudFormation. It is also possible to write your own policies in Rego that will be used to scan your JSON, YAML e.t.c files
The command with the below syntax is used here:
$ trivy config [YOUR_IaC_DIRECTORY]
For example, scanning a Dockerfile:
mkdir iac
vim iac/Dockerfile
Add the below lines to the file:
FROM composer:1.7.2
COPY composer_laravel.lock /php-app/composer.lock
COPY Gemfile_rails.lock /ruby-app/Gemfile.lock
COPY package-lock_react.json /node-app/package-lock.json
COPY Pipfile.lock /python-app/Pipfile.lock
COPY Cargo.lock /rust-app/Cargo.lock
Save and scan the file using the command:
trivy config ./iac
Sample Output:
Also, Trivy offers type detection if your directory contains mixed IaC files for example:
$ ls iac/
Dockerfile deployment.yaml main.tf mysql-8.8.26.tar
Perform the scan:
trivy conf --severity HIGH,CRITICAL ./iac
Sample Output:
Dockerfile (dockerfile)
=======================
Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)
...
deployment.yaml (kubernetes)
============================
Tests: 28 (SUCCESSES: 15, FAILURES: 13, EXCEPTIONS: 0)
Failures: 13 (MEDIUM: 4, HIGH: 1, CRITICAL: 0)
...
main.tf (terraform)
===================
Tests: 23 (SUCCESSES: 14, FAILURES: 9, EXCEPTIONS: 0)
Failures: 9 (HIGH: 6, CRITICAL: 1)
...
bucket.yaml (cloudformation)
============================
Tests: 9 (SUCCESSES: 3, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 4, CRITICAL: 0)
...
mysql-8.8.26.tar:templates/primary/statefulset.yaml (helm)
==========================================================
Tests: 20 (SUCCESSES: 18, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)
....
It is possible to enable misconfiguration detection in a container image, filesystem, and git repository scans by adding the –security-checks config flag. For example:
##For container images
trivy image --security-checks config IMAGE_NAME
##For filesystems
trivy fs --security-checks config /path/to/dir
Closing Thoughts
We have triumphantly walked through how to scan for vulnerabilities in Docker images, filesystems, and Git repositories using Trivy. I hope this was fancy.
Related posts: