In this blog, you will learn to use an open-source Trivy security scanner for scanning Docker Containers, Filesystem, Git repo, Kubernetes, etc.
What is Trivy
Trivy is an open-source security scanner that scans for vulnerabilities in containers and other artifacts. It has an internal database called trivy-db which contains information about different vulnerabilities.
It is created and maintained by AquaSecurity
Trivy not only scan for vulnerability but also give suggestion to solve the issues and links to the vulnerable data for more information.
Trivy can access a wide range of vulnerability information from different vulnerability databases and uses vulnerability data from those vulnerability databases to detect security issues. Some of the vulnerability databases are National Vulnerability Database (NVD), Red Hat Security Data, and Alpine SecDB.
While scanning Trivy compares the directory or container image’s software packages and libraries with the information in the vulnerability database and if a match is found that means the package or library in the container image has a vulnerability. Then Trivy reports these vulnerabilities along with other details such as severity level, affected versions, and repair suggestions.
Trivy updates its database every 6 hours. When you start the scan, trivy updates the databases automatically so that you don’t have to keep track of database updates.
Install Trivy
Let’s see how to install Trivy on Ubuntu, follow the below steps to install Trivy.
For other platform, please visit the official installation page.
Step 1: First, install the required dependencies for Trivy using the command given below:
sudo apt-get install wget apt-transport-https gnupg lsb-release
Step 2: Download the public key and Trivy repository using the commands given below:
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
Step 3: Update the repository using the update command.
sudo apt update -y
Step 4: Install Trivy using the command:
sudo apt install trivy
To verify the installation and understand all the available option, run the following trivy help command.
trivy -h
You should get an output a shown below.
trivy -h
Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets
Usage:
trivy [global flags] command [flags] target
trivy [command]
Examples:
# Scan a container image
$ trivy image python:3.4-alpine
# Scan a container image from a tar archive
$ trivy image --input ruby-3.1.tar
# Scan local filesystem
$ trivy fs .
# Run in server mode
$ trivy server
Scanning Commands
aws [EXPERIMENTAL] Scan AWS account
config Scan config files for misconfigurations
filesystem Scan local filesystem
image Scan a container image
kubernetes [EXPERIMENTAL] Scan kubernetes cluster
repository Scan a remote repository
rootfs Scan rootfs
sbom Scan SBOM for vulnerabilities
vm [EXPERIMENTAL] Scan a virtual machine image
Management Commands
module Manage modules
plugin Manage plugins
Utility Commands
completion Generate the autocompletion script for the specified shell
convert Convert Trivy JSON report into a different format
help Help about any command
server Server mode
version Print the version
Flags:
--cache-dir string cache directory (default "/Users/bibinwilson/Library/Caches/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
-f, --format string version format (json)
--generate-default-config write the default config to trivy-default.yaml
-h, --help help for trivy
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
Use "trivy [command] --help" for more information about a command.
Using Trivy To Scan for Vulnerability
Whenever you run the Trivy command to scan for vulnerabilities it will download the relevant database first and compare it with the vulnerabilities listed in the database.
Trivy shows the risk of vulnerability as critical, high, medium, and low.
- Critical – This is the most severe vulnerability which needs to be fixed as soon as possible because it can allow administrative control over the system.
- High – It could cause data leakage.
- Medium – It could make the system unavailable for users.
- Low – This can be solved during regular maintenance.
We can use Trivy to scan the following targets:
- Container images
- Filesystem
- Remote Git repositories
There are also experimental features to scan Kubernetes & AWS configurations.
Trivy uses different commands to scan targets that are mentioned above.
Let’s look at an example for each.
Scan Container Images
You can scan container images for vulnerabilities using Trivy.
The command used to scan container images is given below:
trivy image <image name>
For example, if the name of the image is nginx:1 then the command will be:
trivy image nginx:1
It will scan the image and shows the vulnerability of the image as shown below.
If you have the container image in tar format, you can use the following command to scan it.
trivy image --input nginx:1.tar
Scan Filesystem
The command used to scan the filesystem is given below:
trivy fs <path of the directory>
For example, if the path of the directory is Documents/jenkins-pipeline/ then the command will be:
trivy fs Documents/jenkins-pipeline/
It will scan the directory and shows the vulnerability in the directory as shown below.
Scan Git Repository
The command used to scan the git repository is given below:
trivy repo <repo URL>
If you are using a private repository, you need to provide your git token for authentication as given below.
export GITHUB_TOKEN=,git token>
trivy repo <repo URL>
It will scan the repo and shows the vulnerability in the repo as shown below.
You can also check out the official Trivy scanner video guide to see Trivy in action.
Conclusion
Vulnerability scanning is one of the important aspects of CI/CD. Application code, infra code, and infra configs should be scanned for vulnerabilities during the CI stages. This ensures good DevSecOps practices.
In your projects, ensure you add a security scanner like Trivy to your devops tools.
Also, if you are looking for CIS compliance for Kubernetes clusters, check out our Kube Bench guide.