Security evolves every so often to the point that it looks very scary to cogitate about. Before releasing applications to a production environment, there needs to be very serious security considerations and protocols to help safeguard your assets. This is because the internet hosts a bunch of bad guys waiting to claw into the flesh of what you have spent sleepless nights on and just deployed. In an effort to contribute to the safety and security of your containerized applications, today we are going to head into this path of security. This is all with the hope of inspiring some hope and provide tools that can be your companion in this journey. Today, we present and ululate Trivy.
Trivy is a Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts. It helps detect vulnerabilities of Operating System packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.). Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily giving you the confidence that all is well with your application without more stressful configurations to use like other scanners.
Features of Trivy
Trivy in its glory and quititude holds the following features that you will enjoy:
- Detection of comprehensive vulnerabilities
- Simplicity – Specify only an image name or artifact name
- Fast – The first scan will finish within 10 seconds (depending on your network). Consequent scans will finish in single seconds
- DevSecOps – Suitable for CI such as Travis CI, CircleCI, Jenkins, GitLab CI, etc
- Support multiple formats – Including: container image, local filesystem, remote git repository
- Easy installation – apt-get install, yum install and brew install is possible with no pre-requisites such as installation of DB, libraries, etc.
How To Install Trivy Container Image Scanner
Trivy can be installed in a number of Linux distributions as well as on MacOS. We shall cover installation of Trivy on CentOS, Ubuntu, Debian, Arch and MacOS. And let the show begin.
Getting Trivy installed on CentOS
You have two options here if you would wish to install Trivy on your CentOS box. You can either use Trivy’s repository or install it directly from its RPM source. To install from repository, add the following repository then proceed to install Trivy.
echo -e "\n[trivy]\nname=Trivy repository\nbaseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/\$releasever/\$basearch/\ngpgcheck=0\nenabled=1" | sudo tee -a /etc/yum.repos.d/kubernetes.repo
After adding the Trivy repository, update your server and install the trivy package as follows:
sudo yum -y install trivy
To install trivy from its RPM source, you will need to get the latest Trivy release then run the commands below:
VER=$(curl -s https://api.github.com/repos/aquasecurity/trivy/releases/latest|grep tag_name|cut -d '"' -f 4|sed 's/v//') wget https://github.com/aquasecurity/trivy/releases/download/v$VER/trivy_$VER_Linux-64bit.rpm sudo yum localinstall ./trivy_$VER_Linux-64bit.rpm
Install Trivy on Debian / Ubuntu
Similar to installing Trivy on CentOS, you also have two options here you can use to install it on your Debian|Ubuntu
box. You can either use Trivy’s repository or install it directly from its DEB source. To install from repository, add the following repo then proceed to install Trivy.
sudo apt-get install wget apt-transport-https gnupg lsb-release wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee /etc/apt/sources.list.d/trivy.list
After adding the Trivy repository, update your server and install trivy package as follows:
sudo apt-get update sudo apt-get install trivy
Alternatively, if you are a deb source fan, you can install Trivy using its DEB source. To install trivy this way, you will need to get the latest Trivy release then run the commands below: as follows:
VER=$(curl -s https://api.github.com/repos/aquasecurity/trivy/releases/latest|grep tag_name|cut -d '"' -f 4|sed 's/v//') wget https://github.com/aquasecurity/trivy/releases/download/v$VER/trivy_$VER_Linux-64bit.deb sudo apt install ./trivy_$VER_Linux-64bit.deb
Install Trivy on Arch Linux / Manjaro
Well, to all Arch loyal fans, you can easily get Trivy installed on your computer by using pikaur or yay AUR helpers as shown below.
pikaur -Sy trivy-bin
Or you can use yay AUR helper too like so:
yay -Sy trivy-bin
Getting Trivy installed on macOS
For Mac users, you are not left behind, you can have this cool tool installed on your MacOS via Homebrew by running the command below
brew install aquasecurity/trivy/trivy
Trivy in Action – How To Use Trivy
Once Trivy is installed, we are ready to plunge into business immediately. There are myriads of use cases that Trivy covers and we shall cover some of them in this guide.
Scanning a Filesystem
Trivy can scan a filesystem (such as a host machine, a virtual machine image, or an unpacked container image filesystem). During scanning it will look for vulnerabilities based on lock files such as Gemfile.lock and package-lock.json. The syntax goes like:
$ trivy fs /home/vagrant 2020-11-09T10:35:41.656Z WARN OS is not detected and vulnerabilities in OS packages are not detected. 2020-11-09T10:35:41.656Z INFO Detecting ruby vulnerabilities... 2020-11-09T10:35:41.656Z INFO Detecting nodejs vulnerabilities... octant/site/Gemfile.lock ======================== Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) octant/web/package-lock.json ============================ Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
Scanning your Git Repository
Fortunately, you can scan your remote git repository with this simple yet powerful tool. And it should be noted that only public repositories are supported here. Scan your Git repository using the repo switch as follows:
$ trivy repo https://github.com/aquasecurity/trivy 2020-11-09T07:13:25.265Z INFO Need to update DB 2020-11-09T07:13:25.265Z INFO Downloading DB... 19.13 MiB / 19.13 MiB [-----------------------------------------------------------] 100.00% 512.75 KiB p/s 38sEnumerating objects: 2338, done. Counting objects: 100% (2338/2338), done. Compressing objects: 100% (1260/1260), done. Total 2338 (delta 1229), reused 1943 (delta 933), pack-reused 0 2020-11-09T07:40:29.758Z WARN OS is not detected and vulnerabilities in OS packages are not detected.
Scanning an image
After developing and consolidating your application into an image (Docker or so), you have the option of finding out any security issue you may have overlooked. Simply specify an image name and a tag along with your trivy command as follows.
List your images
$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE nginx latest c39a868aad02 3 days ago 133MB $ trivy image nginx
You should see a long and detailed report on your terminal output. A snippet is shared below.
Embed Trivy in Dockerfile
Another cool feature about this tool is that you can include it in your Dockerfile and it will scan everything as it builds the image. We shall use Nginx image for demonstration here as follows:
$ vim Dockerfile FROM alpine:3.7 RUN apk add curl \ && curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin \ && trivy filesystem --exit-code 1 --no-progress /
Then build your image with an output similar to the one shown below as you relax.
$ docker build -t scanned-image . Sending build context to Docker daemon 8.704 kB Step 1/2 : FROM alpine:3.7 Trying to pull repository docker.io/library/alpine ... 3.7: Pulling from docker.io/library/alpine 5d20c808ce19: Pull complete Digest: sha256:8421d9a84432575381bfabd248f1eb56f3aa21d9d7cd2511583c68c9b7511d10 Status: Downloaded newer image for docker.io/alpine:3.7 ---> 6d1ef012b567 Step 2/2 : RUN apk add curl && curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin && trivy filesystem --exit-code 1 --no-progress / ---> Running in 445558539f6f fetch http://dl-cdn.alpinelinux.org/alpine/v3.7/main/x86_64/APKINDEX.tar.gz fetch http://dl-cdn.alpinelinux.org/alpine/v3.7/community/x86_64/APKINDEX.tar.gz (1/4) Installing ca-certificates (20190108-r0) (2/4) Installing libssh2 (1.9.0-r1) (3/4) Installing libcurl (7.61.1-r3) (4/4) Installing curl (7.61.1-r3) Executing busybox-1.27.2-r11.trigger Executing ca-certificates-20190108-r0.trigger OK: 6 MiB in 17 packages aquasecurity/trivy info checking GitHub for latest tag aquasecurity/trivy info found version: 0.12.0 for v0.12.0/Linux/64bit aquasecurity/trivy info installed /usr/local/bin/trivy 2020-11-09T10:13:02.597Z INFO Need to update DB 2020-11-09T10:13:02.597Z INFO Downloading DB... 2020-11-09T10:13:27.545Z INFO Detecting Alpine vulnerabilities... 2020-11-09T10:13:27.547Z WARN This OS version is no longer supported by the distribution: alpine 3.7.3 2020-11-09T10:13:27.547Z WARN The vulnerability detection may be insufficient because security updates are not provided 445558539f6f (alpine 3.7.3) =========================== Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2) +------------+------------------+----------+-------------------+---------------+--------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +------------+------------------+----------+-------------------+---------------+--------------------------------+ | musl | CVE-2019-14697 | CRITICAL | 1.1.18-r3 | 1.1.18-r4 | musl libc through 1.1.23 | | | | | | | has an x87 floating-point | | | | | | | stack adjustment imbalance, | | | | | | | related... | +------------+ + + + + + | musl-utils | | | | | | | | | | | | | | | | | | | | | | | | | | | +------------+------------------+----------+-------------------+---------------+--------------------------------+
Filter the vulnerabilities by severities
In case you have special needs and you require the report being generated to be filtered so that you can see HIGH,CRITICAL and such fields, then Trivy will do it for you out of the box. Simply run a command similar to the following:
$ trivy image --severity HIGH,CRITICAL nginx:latest
Scan your project with a lock file
If you have a Python project, there is a high likelihood that it has a lock file in it. You can therefore scan such a project with trivy as follows:
$ trivy fs ~/src/github.com/aquasecurity/trivy-ci-test
Scanning a container from inside the container
To add even more sugar to the sweet savour we are enjoying, it is worth mentioning that Trivy can scan your running container from inside the container. It never falls short of surprises. This is how that can be achieved and note that you do not need Trivy installed on the host machine.
docker run --rm -it nginx \ && curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin \ && trivy fs /
We have only peeled some leaves of Trivy’s onion and there is much more left for you to scratch and explore. For more information about this cool security companion, check its offcial GitHub page and you will leave there with a smile.
We only marvel when we consider what innovation and technology continues to do in our spheres of life. While there may be more opportunities and room for hackers to dip their feet in, there are warriors that do everything in their power to empower the vulnerable. Trivy is one such heroic tool and we hope that maximum support is going to be accorded to the developers. Otherwise, we are happy that you visited and we hope the guide was as helpful as we hoped it would be.