Exploring Trivy: A Comprehensive Guide to Container Vulnerability Scanning

UpdatedNovember 14, 2024

•3 min read

Exploring Trivy: A Comprehensive Guide to Container Vulnerability Scanning

"Hello, I'm Kiran Pawar, a passionate Cloud and Devops Engineer with a strong background in cloud automation, configuration, and deployment. My journey in the world of technology has been a thrilling adventure, where I've had the privilege to work with cutting-edge tools and practices.

🚀 As a DevOps Engineer:

I specialize in automating, configuring, and deploying instances in cloud environments and data centers. My expertise extends to DevOps, GitOps, CI/CD pipeline management, HashiCorp Terraform, and containerization. I'm proficient in AWS and Linux/Unix administration, ensuring robust infrastructure and application performance.

🔧 My Tech Stack:

Front-end skills: HTML, CSS, SCSS, Tailwind CSS, Bootstrap, React, Material-UI, JavaScript DevOps toolbox: GIT, OWASP,Nexus,Trivy, Github, Gitlab, Terraform, Ansible, Docker, Kubernetes, Helm, Jenkins, Prometheus, Grafana, Argo CD, AWS EKS.

🌐 My Cloud Expertise:

I have hands-on experience managing AWS services, including EC2, S3, EBS, VPC, ELB, RDS, IAM, Route53, and more.

🔒 Networking and Security:

My skills include managing networking concepts such as TCP/IP protocols, security policies, and subnet interfacing. I have a strong understanding of infrastructure and networking, covering topics like firewalls, IP addressing, DNS, and more.

💡 What Sets Me Apart:

I bring a positive attitude, a strong work ethic, and a collaborative spirit to every project. I'm a self-starter, a fast learner, and an effective team player with strong interpersonal skills. In addition to my DevOps skills, I've developed shell scripts (Bash) for automating tasks and have proficiency in Python scripting. My ability to communicate and manage projects, along with a track record of resolving client issues, adds value to every team I work with. If you're looking for a DevOps engineer who is also well-versed in front-end technologies, feel free to connect with me. Let's explore new possibilities and create exceptional technical solutions together!"

1. Overview

Trivy, an open-source vulnerability scanner, specializes in container images and applications. Widely utilized in DevOps and CI/CD pipelines, Trivy ensures containerized applications are devoid of known vulnerabilities, enhancing overall security.

2. Container Security

Containers encapsulate applications and dependencies. Trivy scans container images, focusing on vulnerabilities in operating system packages, libraries, and application dependencies, promoting robust container security.

3. Features

Fast Scanning: Trivy ensures quick vulnerability scans, ideal for integration into continuous integration (CI) processes.
Comprehensive Databases: Utilizing CVE, NVD, and other vulnerability databases, Trivy identifies known vulnerabilities.
Ease of Use: With a simple command-line interface, Trivy is user-friendly and integrable into various CI/CD tools.
Support for Multiple Languages: Trivy is language-agnostic, analyzing container images with applications developed in various programming languages.

4. Usage

Run Trivy on container images during development and testing stages.
Incorporate Trivy into CI/CD pipelines for automated vulnerability scanning during deployment.

5. Integration

Integrate Trivy with CI/CD tools like Jenkins, GitLab CI, GitHub Actions, etc.
An API allows developers and security teams to integrate vulnerability scanning into custom workflows.

6. Output Formats

Trivy provides scan results in formats such as JSON, YAML, etc., facilitating integration into diverse tools.

7. Configuration Options

Users can configure Trivy to exclude specific vulnerabilities or define custom policies based on security requirements.

8. Continuous Updates

Trivy's vulnerability databases receive regular updates to include the latest security information.

Trivy Installation Steps

# Install required packages
sudo apt-get install wget apt-transport-https gnupg lsb-release

# Download Trivy public key and add it to the keyring
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null

# Add Trivy repository to sources list
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list

# Update package information
sudo apt-get update

# Install Trivy
sudo apt-get install trivy -y

Execution Commands

Trivy supports various output formats such as "table," "json," "template," "sarif," "cyclonedx," "spdx," "spdx-json," "github," and "cosign-vuln."

File System Scanning

# Scan a specific path
trivy fs path

# Scan a folder with specific scanners
trivy fs --scanners vuln,misconfig Folder_name_OR_Path

# Scan a folder with specific severity levels
trivy fs --severity HIGH,CRITICAL Folder_name_OR_Path

# Scan a folder with specific scanners and severity levels
trivy fs --scanners vuln,misconfig --severity HIGH,CRITICAL Folder_name_OR_Path

# Export the report
trivy fs --format table -o report.html folderpath

Docker Image Scanning

# Scan a Docker image
trivy image imagename

# Scan a Docker image with specific severity levels
trivy image --severity HIGH,CRITICAL image_name

# Save the scan report to a file
trivy image --format table -o trivy_report.txt your_container_image

Git Repository Scanning

# Scan a Git repository
trivy repo repo-url

# Example: Scan a GitHub repository
trivy repo repo-url https://github.com/jaiswaladi246/Ekart.git

Kubernetes Cluster Scanning

# Scan a Kubernetes cluster and generate a summary report
trivy k8s --report summary cluster

Additional Notes

The GitHub repository for the Aqua Security Scanner Jenkins plugin can be found here.
To retrieve a list of container images used by pods in a Kubernetes cluster, use the following command:

kubectl get pods -o=jsonpath='{range .items[*]}{.spec.containers[*].image}{"\n"}{end}'

The output can be piped to Trivy for vulnerability scanning:

kubectl get pods -o=jsonpath='{range .items[*]}{.spec.containers[*].image}{"\n"}{end}' | trivy image --format json -

This command extracts container images from pod specifications and scans them using Trivy, with the output in JSON format.

Comments (1)

Join the discussion

Johnny Corey2y ago

Earning through cryptocurrency is genuine, If you are new to crypto trading and you don't know how to earn from it or your an old investor who have been losing try to earn from cryptocurrency, here is an opportunity for you to earn through cryptocurrency trading visit Adelynn Richardson fx on lnstagram/Facebook for a safe and secure investment

More from this blog

Setting Up Jenkins with Reverse Proxy, Domain, and SSL Certification

Introduction Jenkins is a popular open-source automation server used for CI/CD pipelines. To enhance its security and accessibility, setting up a reverse proxy, assigning a domain, and securing it with an SSL certificate is essential. This guide will...

Mar 18, 20252 min read

Setting Up Jenkins with Reverse Proxy, Domain, and SSL Certification

15. route53 policies

Step: 1 Create an instance. Step: 2 run below commands and make sure you are changing domain name accordingly and also make sure all your subdomains were recorded in route53, watch myvideo day 00 video if you have doubt.Example my records for route53...

Feb 17, 20252 min read

14 Introduction to Auto Scaling Groups and Their Configuration

#/bin/bash sudo apt update sudo apt install software-properties-common -y sudo apt-add-repository --yes --update ppa:ansible/ansible sudo apt update sudo apt install ansible -y sudo apt install nginx -y sudo apt install python-apt -y sudo apt install...

Feb 17, 20251 min read

13. Application Load Balancer (ALB)

Creating an Application Load Balancer (ALB) and configuring it with multiple target groups can significantly enhance your application's scalability and reliability. Here's a step-by-step guide along with a diagram: Steps: Instance Setup: Launch fou...