Scan Docker Container Images for Vulnerabilities with Trivy

Posted on 251 views

Security evolves every so often to the point that it looks very scary to cogitate about. Before releasing applications to a production environment, there needs to be very serious security considerations and protocols to help safeguard your assets. This is because the internet hosts a bunch of bad guys waiting to claw into the flesh of what you have spent sleepless nights on and just deployed. In an effort to contribute to the safety and security of your containerized applications, today we are going to head into this path of security. This is all with the hope of inspiring some hope and provide tools that can be your companion in this journey. Today, we present and ululate Trivy.

Trivy is a Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts. It helps detect vulnerabilities of Operating System packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.). Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily giving you the confidence that all is well with your application without more stressful configurations to use like other scanners.

Features of Trivy

Trivy in its glory and quititude holds the following features that you will enjoy:

  • Detection of comprehensive vulnerabilities
  • Simplicity – Specify only an image name or artifact name
  • Fast – The first scan will finish within 10 seconds (depending on your network). Consequent scans will finish in single seconds
  • DevSecOps – Suitable for CI such as Travis CI, CircleCI, Jenkins, GitLab CI, etc
  • Support multiple formats – Including: container image, local filesystem, remote git repository
  • Easy installation – apt-get install, yum install and brew install is possible with no pre-requisites such as installation of DB, libraries, etc.

How To Install Trivy Container Image Scanner

Trivy can be installed in a number of Linux distributions as well as on MacOS. We shall cover installation of Trivy on CentOS, Ubuntu, Debian, Arch and MacOS. And let the show begin.

Getting Trivy installed on CentOS

You have two options here if you would wish to install Trivy on your CentOS box. You can either use Trivy’s repository or install it directly from its RPM source. To install from repository, add the following repository then proceed to install Trivy.

echo -e "\n[trivy]\nname=Trivy repository\nbaseurl=\$releasever/\$basearch/\ngpgcheck=0\nenabled=1" | sudo tee -a /etc/yum.repos.d/kubernetes.repo

After adding the Trivy repository, update your server and install the trivy package as follows:

sudo yum -y install trivy

To install trivy from its RPM source, you will need to get the latest Trivy release then run the commands below:

VER=$(curl -s|grep tag_name|cut -d '"' -f 4|sed 's/v//')
sudo yum localinstall ./trivy_$VER_Linux-64bit.rpm

Install Trivy on Debian / Ubuntu

Similar to installing Trivy on CentOS, you also have two options here you can use to install it on your Debian|Ubuntu
box. You can either use Trivy’s repository or install it directly from its DEB source. To install from repository, add the following repo then proceed to install Trivy.

sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - | sudo apt-key add -
echo deb $(lsb_release -sc) main | sudo tee /etc/apt/sources.list.d/trivy.list

After adding the Trivy repository, update your server and install trivy package as follows:

sudo apt-get update
sudo apt-get install trivy

Alternatively, if you are a deb source fan, you can install Trivy using its DEB source. To install trivy this way, you will need to get the latest Trivy release then run the commands below: as follows:

VER=$(curl -s|grep tag_name|cut -d '"' -f 4|sed 's/v//')
sudo apt install ./trivy_$VER_Linux-64bit.deb

Install Trivy on Arch Linux / Manjaro

Well, to all Arch loyal fans, you can easily get Trivy installed on your computer by using pikaur or yay AUR helpers as shown below.

pikaur -Sy trivy-bin

Or you can use yay AUR helper too like so:

yay  -Sy trivy-bin

Getting Trivy installed on macOS

For Mac users, you are not left behind, you can have this cool tool installed on your MacOS via Homebrew by running the command below

brew install aquasecurity/trivy/trivy

Trivy in Action – How To Use Trivy

Once Trivy is installed, we are ready to plunge into business immediately. There are myriads of use cases that Trivy covers and we shall cover some of them in this guide.

Scanning a Filesystem

Trivy can scan a filesystem (such as a host machine, a virtual machine image, or an unpacked container image filesystem). During scanning it will look for vulnerabilities based on lock files such as Gemfile.lock and package-lock.json. The syntax goes like:

$ trivy fs /home/vagrant

2020-11-09T10:35:41.656Z        WARN    OS is not detected and vulnerabilities in OS packages are not detected.
2020-11-09T10:35:41.656Z        INFO    Detecting ruby vulnerabilities...
2020-11-09T10:35:41.656Z        INFO    Detecting nodejs vulnerabilities...

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Scanning your Git Repository

Fortunately, you can scan your remote git repository with this simple yet powerful tool. And it should be noted that only public repositories are supported here. Scan your Git repository using the repo switch as follows:

$ trivy repo

2020-11-09T07:13:25.265Z        INFO    Need to update DB
2020-11-09T07:13:25.265Z        INFO    Downloading DB...
19.13 MiB / 19.13 MiB [-----------------------------------------------------------] 100.00% 512.75 KiB p/s 38sEnumerating objects: 2338, done.
Counting objects: 100% (2338/2338), done.
Compressing objects: 100% (1260/1260), done.

Total 2338 (delta 1229), reused 1943 (delta 933), pack-reused 0
2020-11-09T07:40:29.758Z        WARN    OS is not detected and vulnerabilities in OS packages are not detected.

Scanning an image

After developing and consolidating your application into an image (Docker or so), you have the option of finding out any security issue you may have overlooked. Simply specify an image name and a tag along with your trivy command as follows.

List your images

$ docker images

REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
nginx               latest              c39a868aad02        3 days ago          133MB

$ trivy image nginx

You should see a long and detailed report on your terminal output. A snippet is shared below.


Embed Trivy in Dockerfile

Another cool feature about this tool is that you can include it in your Dockerfile and it will scan everything as it builds the image. We shall use Nginx image for demonstration here as follows:

$ vim Dockerfile
FROM alpine:3.7

RUN apk add curl \
    && curl -sfL | sh -s -- -b /usr/local/bin \
    && trivy filesystem --exit-code 1 --no-progress /

Then build your image with an output similar to the one shown below as you relax.

$ docker build -t scanned-image .
Sending build context to Docker daemon 8.704 kB
Step 1/2 : FROM alpine:3.7
Trying to pull repository ...
3.7: Pulling from
5d20c808ce19: Pull complete
Digest: sha256:8421d9a84432575381bfabd248f1eb56f3aa21d9d7cd2511583c68c9b7511d10
Status: Downloaded newer image for
 ---> 6d1ef012b567
Step 2/2 : RUN apk add curl     && curl -sfL | sh -s 
-- -b /usr/local/bin     && trivy filesystem --exit-code 1 --no-progress /
 ---> Running in 445558539f6f

(1/4) Installing ca-certificates (20190108-r0)
(2/4) Installing libssh2 (1.9.0-r1)
(3/4) Installing libcurl (7.61.1-r3)
(4/4) Installing curl (7.61.1-r3)
Executing busybox-1.27.2-r11.trigger
Executing ca-certificates-20190108-r0.trigger
OK: 6 MiB in 17 packages
aquasecurity/trivy info checking GitHub for latest tag
aquasecurity/trivy info found version: 0.12.0 for v0.12.0/Linux/64bit
aquasecurity/trivy info installed /usr/local/bin/trivy
2020-11-09T10:13:02.597Z        INFO    Need to update DB
2020-11-09T10:13:02.597Z        INFO    Downloading DB...
2020-11-09T10:13:27.545Z        INFO    Detecting Alpine vulnerabilities...
2020-11-09T10:13:27.547Z        WARN    This OS version is no longer supported by the distribution: alpine 3.7.3
2020-11-09T10:13:27.547Z        WARN    The vulnerability detection may be insufficient because security updates are not provided   

445558539f6f (alpine 3.7.3)
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)

| musl       | CVE-2019-14697   | CRITICAL | 1.1.18-r3         | 1.1.18-r4     | musl libc through 1.1.23       |
|            |                  |          |                   |               | has an x87 floating-point      |
|            |                  |          |                   |               | stack adjustment imbalance,    |
|            |                  |          |                   |               | related...                     |
+------------+                  +          +                   +               +                                +
| musl-utils |                  |          |                   |               |                                |
|            |                  |          |                   |               |                                |
|            |                  |          |                   |               |                                |
|            |                  |          |                   |               |                                |


Filter the vulnerabilities by severities

In case you have special needs and you require the report being generated to be filtered so that you can see HIGH,CRITICAL and such fields, then Trivy will do it for you out of the box. Simply run a command similar to the following:

$ trivy image --severity HIGH,CRITICAL nginx:latest


Scan your project with a lock file

If you have a Python project, there is a high likelihood that it has a lock file in it. You can therefore scan such a project with trivy as follows:

$ trivy fs ~/src/

Scanning a container from inside the container

To add even more sugar to the sweet savour we are enjoying, it is worth mentioning that Trivy can scan your running container from inside the container. It never falls short of surprises. This is how that can be achieved and note that you do not need Trivy installed on the host machine.

docker run --rm -it nginx \
   && curl -sfL | sh -s -- -b /usr/local/bin \
   && trivy fs /

We have only peeled some leaves of Trivy’s onion and there is much more left for you to scratch and explore. For more information about this cool security companion, check its offcial GitHub page and you will leave there with a smile.

Concluding Thoughts

We only marvel when we consider what innovation and technology continues to do in our spheres of life. While there may be more opportunities and room for hackers to dip their feet in, there are warriors that do everything in their power to empower the vulnerable. Trivy is one such heroic tool and we hope that maximum support is going to be accorded to the developers. Otherwise, we are happy that you visited and we hope the guide was as helpful as we hoped it would be.


Gravatar Image
A systems engineer with excellent skills in systems administration, cloud computing, systems deployment, virtualization, containers, and a certified ethical hacker.