Kiran Pawar's Blog

Exploring Trivy: A Comprehensive Guide to Container Vulnerability Scanning

Kiran's photo
Kiran
·

3 min read

Table of contents

1. Overview

Trivy, an open-source vulnerability scanner, specializes in container images and applications. Widely utilized in DevOps and CI/CD pipelines, Trivy ensures containerized applications are devoid of known vulnerabilities, enhancing overall security.

2. Container Security

Containers encapsulate applications and dependencies. Trivy scans container images, focusing on vulnerabilities in operating system packages, libraries, and application dependencies, promoting robust container security.

3. Features

  • Fast Scanning: Trivy ensures quick vulnerability scans, ideal for integration into continuous integration (CI) processes.

  • Comprehensive Databases: Utilizing CVE, NVD, and other vulnerability databases, Trivy identifies known vulnerabilities.

  • Ease of Use: With a simple command-line interface, Trivy is user-friendly and integrable into various CI/CD tools.

  • Support for Multiple Languages: Trivy is language-agnostic, analyzing container images with applications developed in various programming languages.

4. Usage

  • Run Trivy on container images during development and testing stages.

  • Incorporate Trivy into CI/CD pipelines for automated vulnerability scanning during deployment.

5. Integration

  • Integrate Trivy with CI/CD tools like Jenkins, GitLab CI, GitHub Actions, etc.

  • An API allows developers and security teams to integrate vulnerability scanning into custom workflows.

6. Output Formats

  • Trivy provides scan results in formats such as JSON, YAML, etc., facilitating integration into diverse tools.

7. Configuration Options

  • Users can configure Trivy to exclude specific vulnerabilities or define custom policies based on security requirements.

8. Continuous Updates

  • Trivy's vulnerability databases receive regular updates to include the latest security information.

Trivy Installation Steps

# Install required packages
sudo apt-get install wget apt-transport-https gnupg lsb-release

# Download Trivy public key and add it to the keyring
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null

# Add Trivy repository to sources list
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list

# Update package information
sudo apt-get update

# Install Trivy
sudo apt-get install trivy -y

Execution Commands

Trivy supports various output formats such as "table," "json," "template," "sarif," "cyclonedx," "spdx," "spdx-json," "github," and "cosign-vuln."

File System Scanning

# Scan a specific path
trivy fs path

# Scan a folder with specific scanners
trivy fs --scanners vuln,misconfig Folder_name_OR_Path

# Scan a folder with specific severity levels
trivy fs --severity HIGH,CRITICAL Folder_name_OR_Path

# Scan a folder with specific scanners and severity levels
trivy fs --scanners vuln,misconfig --severity HIGH,CRITICAL Folder_name_OR_Path

# Export the report
trivy fs --format table -o report.html folderpath

Docker Image Scanning

# Scan a Docker image
trivy image imagename

# Scan a Docker image with specific severity levels
trivy image --severity HIGH,CRITICAL image_name

# Save the scan report to a file
trivy image --format table -o trivy_report.txt your_container_image

Git Repository Scanning

# Scan a Git repository
trivy repo repo-url

# Example: Scan a GitHub repository
trivy repo repo-url https://github.com/jaiswaladi246/Ekart.git

Kubernetes Cluster Scanning

# Scan a Kubernetes cluster and generate a summary report
trivy k8s --report summary cluster

Additional Notes

  • The GitHub repository for the Aqua Security Scanner Jenkins plugin can be found here.

  • To retrieve a list of container images used by pods in a Kubernetes cluster, use the following command:

kubectl get pods -o=jsonpath='{range .items[*]}{.spec.containers[*].image}{"\n"}{end}'
  • The output can be piped to Trivy for vulnerability scanning:
kubectl get pods -o=jsonpath='{range .items[*]}{.spec.containers[*].image}{"\n"}{end}' | trivy image --format json -

This command extracts container images from pod specifications and scans them using Trivy, with the output in JSON format.