DDOCKER

How to Use Trivy to Scan Docker Images for Vulnerabilities

Docker vulnerability scan using trivy

This blog covers the essential steps to secure your Docker images against potential vulnerabilities using Trivy scanner.

Trivy scanner is an open-source tool that can be used to scan Docker images for vulnerabilities.

Docker images are a simple way to package and deploy applications. However, they can also be a security risk if they contain vulnerabilities. It could be issues in libraries, vulnerabilities in application dependencies, container misconfigurations etc.

Trivy is an effective Docker vulnerability scanner that supports multiple vulnerability databases, including the Common Vulnerabilities and Exposures (CVE) database. Trivy can also scan for wrong configurations and secrets.

Scan Docker Images With Trivy

The following image shows the high level components and container scanning workflow.

Trivy Docker Image Scan Workflow

To get started, you need to have trivy intalled on you system or the CI agent node where you want to implement the Docker image scanning.

You can find the installation steps at official Trivy installation page.

Scanning Docker Images using Trivy is very easy. You just need to run the following trivy command with the image name you want to scan.

trivy image <image-name>

For example, I have a image named techiescamp/pet-clinic-app in my workstation. It is a docker image with java spring boot application.

I can scan the image using the following command. Trivy scans for both vulnerabilities in the image as as the java jar that is part of the image. The results of the scan will be displayed in a human-readable format.

trivy image techiescamp/pet-clinic-app:1.0.0

The scan result shows that there are not high or critical vulnerabilties in the image.

Trivy Docker image scan result

Also it shows 2 high vulnerabilities for the jar inside the Docker image.

Trivy Docker image jar scan result.

Trivy can be used in multiple ways. Here are a few examples of advanced usage:

Scan for severity

Trivy can scan for vulnerabilities of a specific severity. To do this, use the --severity <severity> flag to specify the vulnerability severity that you need to scan.

    trivy image --severity CRITICAL techiescamp/pet-clinic-app:1.0.0

    Trivy Scan in Docker Image Build Pipeline

    Trivy plays a key role in CI/CD pipeline in terms docker image builds. Organizations use trivy to scan for vulnerabilities in CI/CD pipeline to ensure a seecure image is getting deployed in production.

    When using in CI/CD piepline, the the pipeline job should fail if there is any vulnerability in the image. The severity depends on the organizations security compliance. For example, some organization may have strict guidelines to fail the build for both HIGH and CRITICAL severities.

    Now, the best way to fail the build is using exit codes.

    To do this, use the --severity and --exit-code 1 flag with the trivy command as shown below. It will make Trivy exit with a non-zero exit code if any vulnerabilities are found for the given severities 

      trivy image --severity HIGH,CRITICAL  --exit-code 1 techiescamp/pet-clinic-app:1.0.0

      Also, you can send the vulnerability report as a build failure notification to developers and DevOps engineers.

      A recommended approach is to use a Trivy config file to set the defaults for a scan. You can use this file to accomodate your scanning requirements specific to your project needs.

      Here is an example of trivy.yaml file

      timeout: 10m
format: json
dependency-tree: true
list-all-pkgs: true
exit-code: 1
output: result.json
severity:
  - HIGH
  - CRITICAL
scan:
  skip-dirs:
    - /lib64
    - /lib
    - /usr/lib
    - /usr/include

  security-checks:
    - vuln
    - secret
vulnerability:
  type:
    - os
    - library
  ignore-unfixed: true
db:
  skip-update: false

      Here is the syntax to use the config file

      trivy image --config path/to/trivy.yaml your-image-name:tag

      Output as JSON

      Trivy can also give output in JSON format. To do this, use the --format json flag, it will display the scanned results in JSON format.

        trivy image --format json techiescamp/pet-clinic-app:1.0.0

        Ignore fixed vulnerabilities

        There are vulnerabilities that cannot be fixed even if the packages are updated (unpatched/unfixed). Trivy can scan images ignoring those vulnerabilities. To do this, use the --ignore-unfixed flag.

        trivy image --ignore-unfixed java:0.1

        Scan Docker tar Images

        There are situations you might have the Docker images in tar format. In this case, you can use trivy to scan the image in tar format.

        For example,

        trivy image --input petclinic-app.tar

        What Does Trivy Scan In Docker Images?

        Following are the key elements in the Docker image that are scanned by Trivy.

        1. Trivy can scan for vulnerabilities in a variety of package managers, including apt, yum, apk, and npm. This means that Trivy can scan for vulnerabilities in images that use a variety of different software dependencies.
        2. Trivy can scan for vulnerabilities in both Linux and Windows images. This means that you can use Trivy to scan images that will be running on either Linux or Windows hosts.
        3. Trivy can scan for vulnerabilities in images that are stored in a variety of different formats, including Docker images, tar archives, and filesystems. This means that you can use Trivy to scan images that are stored in a variety of different locations.
        4. Trivy can scan for vulnerabilities in Docker images running in various environments, including plain Docker containers and Kubernetes pods. This means that you can use Trivy to scan images that are running in any environment that you use.

        Benefits of Docker Image Vulnerability Scanning With Trivy

        The following graphs shows the total vulnerabilities from the CVE database. As you can see it keeps on increasing every year.

        CVE vulnerability graph

        Considering the increase in vulnerabilities, there are many benefits of scanning Docker images with Trivy.

        Some of the benefits include:

        1. Identifying vulnerabilities: Trivy can identify vulnerabilities in the packages used in your Docker images. This is particularly helpful in base image patching and application image builds.
        2. Improving security posture: By scanning your images for vulnerabilities, you can improve the security posture of your organization.
        3. Security Compliance: Many organizations are required to check their Docker images for vulnerabilities as part of the security compliance. You can achieve these standards with the help of Trivy.

        Conclusion

        Docker image vulnerability scanning is a must during development as well as during CI/CD process. This ensures you follow good DevSecOps principles and implement best practices to maintain robust security in your Docker based environments.

        You can also use Hadolint in your CI/CD piepline before vulnerabilkity scan. It ensures you follow all the Dockerfile best practices.

        Bibin Wilson is a cloud and DevOps consultant with over 10 years of IT experience. He has extensive hands-on experience with public cloud platforms, cloud hosting, Kubernetes and OpenShift deployments in production. He has authored over 300 tech tutorials, providing valuable insights to the DevOps community. His courses on techiescamp.com offer practical guidance and real-world examples for professionals aiming to excel in cloud, DevOps, and infrastructure automation.

        Leave a Reply

        Your email address will not be published. Required fields are marked *

        You May Also Like