{"id":882,"date":"2024-10-08T07:56:00","date_gmt":"2024-10-08T07:56:00","guid":{"rendered":"https:\/\/blog.ngocha.biz\/?p=882"},"modified":"2024-10-08T07:56:00","modified_gmt":"2024-10-08T07:56:00","slug":"scan-docker-images-using-trivy","status":"publish","type":"post","link":"https:\/\/blog.ngocha.biz\/?p=882","title":{"rendered":"Using Trivy Container Scanner to Detect Vulnerabilities (Comprehensive Guide)"},"content":{"rendered":"

This blog covers the essential steps to secure your Docker images against potential vulnerabilities using Trivy Container Scanner.<\/p>\n

What is Trivy?<\/h2>\n

Trivy<\/a> is an open-source security scanner<\/strong> that scans for vulnerabilities in containers and other artifacts. It has an internal database called trivy-db<\/a> <\/strong>which contains information about different vulnerabilities.<\/p>\n

It is created and maintained by AquaSecurity<\/a><\/p>\n

Trivy not only scan for vulnerability but also give suggestion to solve the issues and links to the vulnerable data for more information.<\/p>\n

Trivy can access a wide range of vulnerability information from different vulnerability databases and uses vulnerability data from those vulnerability databases to detect security issues. Some of the vulnerability databases are National Vulnerability Database (NVD)<\/a>, Red Hat Security Data, and Alpine SecDB.<\/p>\n

While scanning Trivy compares the directory or container image’s software packages and libraries with the information in the vulnerability database and if a match is found that means the package or library in the container image has a vulnerability. Then Trivy reports these vulnerabilities along with other details such as severity level, affected versions, and repair suggestions.<\/p>\n

Trivy updates its database every 6 hours. When you start the scan, trivy updates the databases automatically so that you don’t have to keep track of database updates.<\/p>\n

Another important feature of Trivy is generating SBOM. It provides a detailed inventory of all the components used in software, including open-source and third-party libraries.<\/p>\n

Install Trivy<\/h2>\n

Let’s see how to install Trivy on Ubuntu, follow the below steps to install Trivy.<\/p>\n

For other platform, please visit the official installation page.<\/a><\/p>\n

Step 1: <\/strong>First, install the required dependencies for Trivy using the command given below:<\/p>\n

sudo apt-get install wget apt-transport-https gnupg lsb-release<\/code><\/pre>\n
Step 2:<\/strong> Download the public key and Trivy repository using the commands given below:<\/p>\n
wget -qO - https:\/\/aquasecurity.github.io\/trivy-repo\/deb\/public.key | gpg --dearmor | sudo tee \/usr\/share\/keyrings\/trivy.gpg > \/dev\/null\n\necho \"deb [signed-by=\/usr\/share\/keyrings\/trivy.gpg] https:\/\/aquasecurity.github.io\/trivy-repo\/deb $(lsb_release -sc) main\" | sudo tee -a \/etc\/apt\/sources.list.d\/trivy.list<\/code><\/pre>\n
Step 3:<\/strong> Update the repository using the update command.<\/p>\n
sudo apt update -y<\/code><\/pre>\n
Step 4:<\/strong> Install Trivy using the command:<\/p>\n
sudo apt install trivy<\/code><\/pre>\n
To verify the installation and understand all the available option, run the following trivy help command.<\/p>\n
trivy -h<\/code><\/pre>\n
You should get an output a shown below.<\/p>\n
trivy -h\nScanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets\n\nUsage:\n  trivy [global flags] command [flags] target\n  trivy [command]\n\nExamples:\n  # Scan a container image\n  $ trivy image python:3.4-alpine\n\n  # Scan a container image from a tar archive\n  $ trivy image --input ruby-3.1.tar\n\n  # Scan local filesystem\n  $ trivy fs .\n\n  # Run in server mode\n  $ trivy server\n\nScanning Commands\n  aws         [EXPERIMENTAL] Scan AWS account\n  config      Scan config files for misconfigurations\n  filesystem  Scan local filesystem\n  image       Scan a container image\n  kubernetes  [EXPERIMENTAL] Scan kubernetes cluster\n  repository  Scan a remote repository\n  rootfs      Scan rootfs\n  sbom        Scan SBOM for vulnerabilities\n  vm          [EXPERIMENTAL] Scan a virtual machine image\n\nManagement Commands\n  module      Manage modules\n  plugin      Manage plugins\n\nUtility Commands\n  completion  Generate the autocompletion script for the specified shell\n  convert     Convert Trivy JSON report into a different format\n  help        Help about any command\n  server      Server mode\n  version     Print the version\n\nFlags:\n      --cache-dir string          cache directory (default \"\/Users\/bibinwilson\/Library\/Caches\/trivy\")\n  -c, --config string             config path (default \"trivy.yaml\")\n  -d, --debug                     debug mode\n  -f, --format string             version format (json)\n      --generate-default-config   write the default config to trivy-default.yaml\n  -h, --help                      help for trivy\n      --insecure                  allow insecure server connections\n  -q, --quiet                     suppress progress bar and log output\n      --timeout duration          timeout (default 5m0s)\n  -v, --version                   show version\n\nUse \"trivy [command] --help\" for more information about a command.\n<\/code><\/pre>\n
Using Trivy To Scan for Vulnerability<\/h2>\n
Whenever you run the Trivy command to scan for vulnerabilities it will download the relevant database first and compare it with the vulnerabilities listed in the database.<\/p>\n
Trivy shows the risk of vulnerability as critical, high, medium, and low.<\/p>\n
    \n
  1. Critical<\/strong> – This is the most severe vulnerability which needs to be fixed as soon as possible because it can allow administrative control over the system.<\/li>\n
  2. High<\/strong> – It could cause data leakage.<\/li>\n
  3. Medium<\/strong> – It could make the system unavailable for users.<\/li>\n
  4. Low<\/strong> – This can be solved during regular maintenance.<\/li>\n<\/ol>\n
    We can use Trivy to scan the following targets:<\/p>\n
      \n
    1. Container images<\/li>\n
    2. Filesystem<\/li>\n
    3. Remote Git repositories<\/li>\n<\/ol>\n
      There are also experimental features to scan Kubernetes<\/a> & AWS configurations.<\/p>\n
      Trivy uses different commands to scan targets that are mentioned above.<\/p>\n
      The following image shows the high level components and container scanning workflow.<\/p>\n
      \"Trivy
      Click to View in HD<\/span><\/figcaption><\/figure>\n
      Scan Container Images With Trivy<\/h2>\n
      To get started, you need to have trivy intalled on you system or the CI agent node<\/strong> where you want to implement the Docker image scanning.<\/p>\n
      You can find the installation steps at official Trivy installation page.<\/a><\/p>\n
      Scanning Docker Images using Trivy is very easy. You just need to run the following trivy command with the image name you want to scan.<\/p>\n
      trivy image <image-name><\/code><\/pre>\n
      For example, I have a image named techiescamp\/pet-clinic-app<\/code><\/strong> in my workstation. It is a docker image with java spring boot<\/a> application.<\/p>\n
      I can scan the image using the following command. Trivy scans for both vulnerabilities in the image as as the java jar that is part of the image. The results of the scan will be displayed in a human-readable format.<\/p>\n
      trivy image techiescamp\/pet-clinic-app:1.0.0<\/code><\/pre>\n
      The scan result shows that there are not high or critical vulnerabilties in the image.<\/p>\n
      \"Trivy<\/figure>\n
      Also it shows 2 high vulnerabilities<\/strong> for the jar inside the Docker image.<\/p>\n
      \"Trivy<\/figure>\n
      Trivy can be used in multiple ways. Here are a few examples of advanced usage:<\/p>\n
      Scan for severity<\/strong><\/h3>\n
      Trivy can scan for vulnerabilities of a specific severity. To do this, use the --severity <severity><\/code> flag to specify the vulnerability severity that you need to scan.<\/p>\n
      trivy image --severity CRITICAL techiescamp\/pet-clinic-app:1.0.0<\/code><\/pre>\n
      Output as JSON<\/strong><\/h3>\n
      Trivy can also give output in JSON format. To do this, use the --format json<\/code> flag, it will display the scanned results in JSON format.<\/p>\n
      trivy image --format json techiescamp\/pet-clinic-app:1.0.0<\/code><\/pre>\n
      Ignore fixed vulnerabilities<\/strong><\/h3>\n
      There are vulnerabilities that cannot be fixed even if the packages are updated (unpatched\/unfixed). Trivy can scan images ignoring those vulnerabilities. To do this, use the --ignore-unfixed<\/code> flag.<\/p>\n
      trivy image --ignore-unfixed java:0.1<\/code><\/pre>\n
      Scan Docker tar Images<\/h3>\n
      There are situations you might have the Docker images in tar format. In this case, you can use trivy to scan the image in tar format.<\/p>\n
      For example,<\/p>\n
      trivy image --input petclinic-app.tar<\/code><\/pre>\n
      Trivy Scan in Docker Image Build Pipeline<\/h2>\n
      Trivy plays a key role in CI\/CD pipeline in terms docker image builds<\/a>. Organizations use trivy to scan for vulnerabilities in CI\/CD pipeline to ensure a seecure image is getting deployed in production.<\/p>\n
      When using in CI\/CD piepline, the the pipeline job should fail<\/strong> if there is any vulnerability in the image. The severity depends on the organizations security compliance. For example, some organization may have strict guidelines to fail the build for both HIGH and CRITICAL severities.<\/p>\n
      Now, the best way to fail the build is using exit codes.<\/p>\n
      To do this, use the  --severity<\/code> and --exit-code 1<\/code> flag with the trivy command as shown below. It will make Trivy exit with a non-zero exit code if any vulnerabilities are found for the given severities<\/p>\n
      trivy image --severity HIGH,CRITICAL  --exit-code 1 techiescamp\/pet-clinic-app:1.0.0<\/code><\/pre>\n
      Also, you can send the vulnerability report as a build failure notification to developers and DevOps engineers.<\/p>\n
      A recommended approach is to use a Trivy config file to set the defaults for a scan. You can use this file to accomodate your scanning requirements specific to your project needs.<\/p>\n
      Here is an example of trivy.yaml <\/code>file<\/p>\n
      timeout: 10m\nformat: json\ndependency-tree: true\nlist-all-pkgs: true\nexit-code: 1\noutput: result.json\nseverity:\n  - HIGH\n  - CRITICAL\nscan:\n  skip-dirs:\n    - \/lib64\n    - \/lib\n    - \/usr\/lib\n    - \/usr\/include\n\n  security-checks:\n    - vuln\n    - secret\nvulnerability:\n  type:\n    - os\n    - library\n  ignore-unfixed: true\ndb:\n  skip-update: false<\/code><\/pre>\n
      Here is the syntax to use the config file<\/p>\n
      trivy image --config path\/to\/trivy.yaml your-image-name:tag<\/code><\/pre>\n
      Generate a Software Bill of Materials (SBOM)<\/h2>\n
      An SBOM is a complete list of all components<\/strong> used in a software application, such as a library, framework, and module, including their versions.<\/p>\n
      It helps to identify potential vulnerabilities, manage licenses, and maintain software more effectively.<\/p>\n
      For example, vulnerabilities like Log4j (CVE-2021-44228) affected many organization. With SBOM organizations can quickly search across its entire software ecosystem to locate which applications or services use Log4j<\/strong> and take remediation measures.<\/p>\n
      Trivy can generate SBOM CycloneDX<\/a> and SPDX<\/a> formats.<\/p>\n
      Use the below command to generate SBOM in either CycloneDX or SPDX format.<\/p>\n
      trivy image --format spdx-json --output result.json techiescamp\/pet-clinic-app:1.0.0\n\ntrivy image --format cyclonedx --output result.json techiescamp\/pet-clinic-app:1.0.0<\/code><\/pre>\n
      Trivy also has the ability to scan for vulnerabilities using the SBOM file, use the following command to scan for vulnerabilities using an SBOM file<\/p>\n
      trivy sbom result.json<\/code><\/pre>\n
      Scan Filesystem<\/p>\n
      The command used to scan the filesystem is given below:<\/p>\n
      trivy fs <path of the directory><\/code><\/pre>\n
      For example, if the path of the directory is Documents\/jenkins-pipeline\/ then the command will be:<\/p>\n
      trivy fs Documents\/jenkins-pipeline\/<\/code><\/pre>\n
      It will scan the directory and shows the vulnerability in the directory as shown below.<\/p>\n
      \"Trivy<\/figure>\n
      Scan Git Repository<\/h2>\n
      The command used to scan the git repository is given below:<\/p>\n
      trivy repo <repo URL><\/code><\/pre>\n
      If you are using a private repository, you need to provide your git token for authentication as given below.<\/p>\n
      export GITHUB_TOKEN=,git token>\n\ntrivy repo <repo URL><\/code><\/pre>\n
      It will scan the repo and shows the vulnerability in the repo as shown below.<\/p>\n
      \"Trivy<\/figure>\n
      You can also check out the official Trivy scanner video guide to see Trivy in action.<\/p>\n