This blog covers the essential steps to secure your Docker images against potential vulnerabilities using Trivy scanner.
Trivy scanner is an open-source tool that can be used to scan Docker images for vulnerabilities.
Docker images are a simple way to package and deploy applications. However, they can also be a security risk if they contain vulnerabilities. It could be issues in libraries, vulnerabilities in application dependencies, container misconfigurations etc.
Trivy is an effective Docker vulnerability scanner that supports multiple vulnerability databases, including the Common Vulnerabilities and Exposures (CVE) database. Trivy can also scan for wrong configurations and secrets.
Scan Docker Images With Trivy
The following image shows the high level components and container scanning workflow.
To get started, you need to have trivy intalled on you system or the CI agent node where you want to implement the Docker image scanning.
You can find the installation steps at official Trivy installation page.
Scanning Docker Images using Trivy is very easy. You just need to run the following trivy command with the image name you want to scan.
trivy image <image-name>
For example, I have a image named techiescamp/pet-clinic-app
in my workstation. It is a docker image with java spring boot application.
I can scan the image using the following command. Trivy scans for both vulnerabilities in the image as as the java jar that is part of the image. The results of the scan will be displayed in a human-readable format.
trivy image techiescamp/pet-clinic-app:1.0.0
The scan result shows that there are not high or critical vulnerabilties in the image.
Also it shows 2 high vulnerabilities for the jar inside the Docker image.
Trivy can be used in multiple ways. Here are a few examples of advanced usage:
Scan for severity
Trivy can scan for vulnerabilities of a specific severity. To do this, use the --severity <severity>
flag to specify the vulnerability severity that you need to scan.
trivy image --severity CRITICAL techiescamp/pet-clinic-app:1.0.0
Trivy Scan in Docker Image Build Pipeline
Trivy plays a key role in CI/CD pipeline in terms docker image builds. Organizations use trivy to scan for vulnerabilities in CI/CD pipeline to ensure a seecure image is getting deployed in production.
When using in CI/CD piepline, the the pipeline job should fail if there is any vulnerability in the image. The severity depends on the organizations security compliance. For example, some organization may have strict guidelines to fail the build for both HIGH and CRITICAL severities.
Now, the best way to fail the build is using exit codes.
To do this, use the --severity
and --exit-code 1
flag with the trivy command as shown below. It will make Trivy exit with a non-zero exit code if any vulnerabilities are found for the given severities
trivy image --severity HIGH,CRITICAL --exit-code 1 techiescamp/pet-clinic-app:1.0.0
Also, you can send the vulnerability report as a build failure notification to developers and DevOps engineers.
A recommended approach is to use a Trivy config file to set the defaults for a scan. You can use this file to accomodate your scanning requirements specific to your project needs.
Here is an example of trivy.yaml
file
timeout: 10m
format: json
dependency-tree: true
list-all-pkgs: true
exit-code: 1
output: result.json
severity:
- HIGH
- CRITICAL
scan:
skip-dirs:
- /lib64
- /lib
- /usr/lib
- /usr/include
security-checks:
- vuln
- secret
vulnerability:
type:
- os
- library
ignore-unfixed: true
db:
skip-update: false
Here is the syntax to use the config file
trivy image --config path/to/trivy.yaml your-image-name:tag
Output as JSON
Trivy can also give output in JSON format. To do this, use the --format json
flag, it will display the scanned results in JSON format.
trivy image --format json techiescamp/pet-clinic-app:1.0.0
Generate a Software Bill of Materials (SBOM)
An SBOM is a complete list of all components used in a software application, such as a library, framework, and module, including their versions.
It helps to identify potential vulnerabilities, manage licenses, and maintain software more effectively.
Trivy can generate SBOM CycloneDX and SPDX formats.
Use the below command to generate SBOM in either CycloneDX or SPDX format.
trivy image --format spdx-json --output result.json techiescamp/pet-clinic-app:1.0.0
trivy image --format cyclonedx --output result.json techiescamp/pet-clinic-app:1.0.0
Trivy also has the ability to scan for vulnerabilities using the SBOM file, use the following command to scan for vulnerabilities using an SBOM file
trivy sbom result.json
Ignore fixed vulnerabilities
There are vulnerabilities that cannot be fixed even if the packages are updated (unpatched/unfixed). Trivy can scan images ignoring those vulnerabilities. To do this, use the --ignore-unfixed
flag.
trivy image --ignore-unfixed java:0.1
Scan Docker tar Images
There are situations you might have the Docker images in tar format. In this case, you can use trivy to scan the image in tar format.
For example,
trivy image --input petclinic-app.tar
What Does Trivy Scan In Docker Images?
Following are the key elements in the Docker image that are scanned by Trivy.
- Trivy can scan for vulnerabilities in a variety of package managers, including apt, yum, apk, and npm. This means that Trivy can scan for vulnerabilities in images that use a variety of different software dependencies.
- Trivy can scan for vulnerabilities in both Linux and Windows images. This means that you can use Trivy to scan images that will be running on either Linux or Windows hosts.
- Trivy can scan for vulnerabilities in images that are stored in a variety of different formats, including Docker images, tar archives, and filesystems. This means that you can use Trivy to scan images that are stored in a variety of different locations.
- Trivy can scan for vulnerabilities in Docker images running in various environments, including plain Docker containers and Kubernetes pods. This means that you can use Trivy to scan images that are running in any environment that you use.
Benefits of Docker Image Vulnerability Scanning With Trivy
The following graphs shows the total vulnerabilities from the CVE database. As you can see it keeps on increasing every year.
Considering the increase in vulnerabilities, there are many benefits of scanning Docker images with Trivy.
Some of the benefits include:
- Identifying vulnerabilities: Trivy can identify vulnerabilities in the packages used in your Docker images. This is particularly helpful in base image patching and application image builds.
- Improving security posture: By scanning your images for vulnerabilities, you can improve the security posture of your organization.
- Security Compliance: Many organizations are required to check their Docker images for vulnerabilities as part of the security compliance. You can achieve these standards with the help of Trivy.
Conclusion
Docker image vulnerability scanning is a must during development as well as during CI/CD process. This ensures you follow good DevSecOps principles and implement best practices to maintain robust security in your Docker based environments.
You can also use Hadolint in your CI/CD piepline before vulnerabilkity scan. It ensures you follow all the Dockerfile best practices.