Trivy is an open-source vulnerability scanner designed for container images and filesystems. It helps users find security vulnerabilities in their container images and is commonly used in DevSecOps pipelines to ensure that containerized applications are free from known vulnerabilities.
Here's an explanation of Trivy with an example:
Trivy uses a database of known vulnerabilities, which it regularly updates, to scan container images or filesystems for security issues. It checks the packages and libraries installed in the image against its vulnerability database and reports any findings.
Let's say you're a developer building a Docker image for a web application. You've created a Dockerfile, installed various software packages, and bundled your application code into the image. Before deploying this image to a production environment, you want to ensure that it doesn't contain any known vulnerabilities that could be exploited by attackers.
Here's how you can use Trivy to scan your Docker image:
First, you need to install Trivy on your local machine or CI/CD server. You can find installation instructions in the Trivy documentation.
Run Trivy to scan your Docker image. Here's a simplified command:
trivy image your-image-name:tag
Replace your-image-name:tag with the name and tag of your Docker image. Trivy will analyze the image and compare the packages and libraries in it against its vulnerability database.
Trivy will produce a report listing any vulnerabilities it finds in the image. The report typically includes information such as the CVE (Common Vulnerabilities and Exposures) ID, severity level, and a description of the vulnerability.
== Server vulnerabilities ==
CRITICAL libssl1.1 1.1.1g-r0 2020-04-21T08:20:40Z
== Application vulnerabilities ==
MEDIUM Ruby 2.6.5-r0 2020-02-13T13:01:27Z
In this example, Trivy has found critical and medium-severity vulnerabilities in the image's packages.
After reviewing the scan results, you can take action to remediate the vulnerabilities. This may involve updating the affected packages or libraries in your Docker image to a version that doesn't have the known vulnerabilities.
After addressing the vulnerabilities, you can re-scan the image to ensure that it's now free from those specific issues. Once you're confident in the security of your image, you can deploy it to your production environment.
Using Trivy in your container security workflow helps you identify and address security vulnerabilities early in the development process, reducing the risk of deploying vulnerable containers in production. It's a valuable tool for maintaining the security of containerized applications.
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update -y
sudo apt-get install trivy -y
trivy image imagename
trivy fs --security-checks vuln,config folderName/path
trivy image --severity HIGH,CRITICAL <image_name>
trivy image -f json -o results.json <image_name>
trivy repo <repo-url>
trivy k8s --report summary cluster