Scan for Docker Image and Git vulnerabilities using Trivy

Posted on 116 views

Docker images play the biggest role in spinning containers. This serves as the perfect way to deploy an application. This can be really flawless depending on the strategy used to build your container image. Container images with vulnerabilities can cause a security threat to the application. Usually, a docker image is built from a Dockerfile with at least one layer of a base image then other layers pilled as captioned in the Dockerfile. Once build, from the Dockerfile, it then becomes entrenched.

A vulnerability can be defined as a point of weakness that can be exploited and cause security threats. To be able to scan these vulnerabilities, we can use Trivy. This is a simple and comprehensive tool that can be used to scan for vulnerabilities in file systems, git repositories, container images as well as misconfigurations. This open-source tool was developed by Aqua Security in 2019. It detects vulnerabilities of Alpine, RHEL, CentOS, etc packages as well as language-specific bundlers such as Bundler, Composer, npm, yarn, etc. Moreso, it can be used to scan Infrastructure as Code (IaC) files example on Kubernetes and Terraform and detect configuration issues. You can also use Trivy to scan hardcoded secrets such as passwords, API keys, and tokens.

The amazing features brought by Trivy are:

  • Simple: using Trivy only involves specifying an image name, a directory containing IaC configs, or an artifact name
  • Easy installation: It can be installed easily from apt, yum, brew, or docker hub. Also, no prerequisites such as database, system libraries e.t.c are required.
  • High accuracy: It offers high accuracy, especially on Alpine Linux and RHEL/CentOS, other OSes are also high.
  • Support multiple targets: it can be used to scan container images, local filesystem, and remote git repository
  • Fast: Its first scan takes less than 10 seconds depending on your internet speed. Then the other scans finish in a single second.
  • Detect IaC misconfigurations: It has a wide variety of built-in policies that can be used to detect misconfigurations on Kubernetes, Terraform, Docker e.t.c

In this guide, we will learn how to scan for Docker Image and Git vulnerabilities using Trivy.

Install Trivy on Your System

Trivy can be installed on different platforms. This involves adding the Trivy repositories to the system and then installing it via the package manager.

1. Install Trivy on RHEL/CentOS / Rocky

Add the repository using the command:

RELEASE_VERSION=$(grep -Po '(?<=VERSION_ID=")[0-9]' /etc/os-release)
cat << EOF | sudo tee -a /etc/yum.repos.d/trivy.repo
[trivy]
name=Trivy repository
baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$RELEASE_VERSION/\$basearch/
gpgcheck=0
enabled=1
EOF

Once added, install Trivy using the command:

sudo yum -y install trivy

Alternatively, you can install Trivy using an RPM package obtained from the Github Release page

sudo yum -y install wget curl
VER=$(curl -s https://api.github.com/repos/aquasecurity/trivy/releases/latest|grep tag_name|cut -d '"' -f 4|sed 's/v//')
wget https://github.com/aquasecurity/trivy/releases/download/v$VER/trivy_$VER_Linux-64bit.rpm
sudo rpm -Uvh ./trivy_$VER_Linux-64bit.rpm

2. Install Trivy on Debian/Ubuntu

The Trivy repository can be added to Debian/Ubuntu systems using the commands:

sudo apt install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee /etc/apt/sources.list.d/trivy.list

Now update the APT package index and install Trivy:

sudo apt update
sudo apt install trivy

You can also use a DEB package obtained from the Github Release page.

VER=$(curl -s https://api.github.com/repos/aquasecurity/trivy/releases/latest|grep tag_name|cut -d '"' -f 4|sed 's/v//')
wget https://github.com/aquasecurity/trivy/releases/download/v$VER/trivy_$VER_Linux-64bit.deb
sudo dpkg -i trivy_$VER_Linux-64bit.deb

3. Install Trivy on Arch Linux

Trivy can be installed on Arch Linux from the Arch User Repository as shown:

  • yay
yay -Sy trivy-bin
  • pikaur
pikaur -Sy trivy-bin

4. Homebrew

Homebrew provided Trivy packages for installation on both macOS and Linux systems. You can use the command below to install Trivy from Homebrew:

brew install aquasecurity/trivy/trivy

Scanning For Vulnerabilities using Trivy

Once Trivy has been installed, it can be used to perform vulnerability scanning on:

  • Container Images
  • Filesystem
  • Git Repositories

The below steps can be used to perform any of the mentioned scans.

A. Scanning Container Images Vulnerabilities using Trivy

Trivy Can be used to scan container images using a simple command bearing the below syntax.

trivy image [YOUR_IMAGE_NAME]

For example:

trivy image python:3.4-alpine

Sample Output:

Scan-for-Docker-Image-and-Git-vulnerabilities-using-Trivy-1024x559

You can also use TAR files for example:

docker pull ruby:3.1-alpine3.15
docker save ruby:3.1-alpine3.15 -o ruby-3.1.tar
trivy image --input ruby-3.1.tar

Sample Output:

Scan-for-Docker-Image-and-Git-vulnerabilities-using-Trivy-1-1024x533

B. Scanning Filesystem Vulnerabilities using Trivy

The command used for this has the syntax:

$ trivy fs /path/to/project

For example, scanning a local project with language-specific files:

git clone https://github.com/aquasecurity/trivy-ci-test.git 
trivy fs trivy-ci-test

Sample Output:

Scan-for-Docker-Image-and-Git-vulnerabilities-using-Trivy-2-1024x571

You can also scan a single file in the project, say Pipfile.lock using the command:

trivy fs trivy-ci-test/Pipfile.lock

Scanning for Git Repository Vulnerabilities using Trivy

To scan vulnerabilities on a Git Repository, the command with the below syntax is used:

$ trivy repo https://github.com/knqyf263/trivy-ci-test

Replace https://github.com/knqyf263/trivy-ci-test with the Git repo name.

Execution output:

Scan-for-Docker-Image-and-Git-vulnerabilities-using-Trivy-3-1024x559

To be able to scan a private Git repo, you need to specify your GITHUB_TOKEN or GITLAB_TOKEN environment variables. This token must be valid to be able to access and scan the repository:

For example:

##For GITHUB##
export GITHUB_TOKEN="your_private_github_token"
trivy repo 

##For GITLAB##
export GITLAB_TOKEN="your_private_gitlab_token"
trivy repo 

Once exported, you will realize that the command to scan the repo is similar to the one above.

Misconfiguration Scanning with Trivy

Aside from scanning vulnerabilities, you can use Trivy to scan misconfigurations in Docker, Kubernetes, Terraform, and CloudFormation. It is also possible to write your own policies in Rego that will be used to scan your JSON, YAML e.t.c files

The command with the below syntax is used here:

$ trivy config [YOUR_IaC_DIRECTORY]

For example, scanning a Dockerfile:

mkdir iac 
vim iac/Dockerfile

Add the below lines to the file:

FROM composer:1.7.2
COPY composer_laravel.lock /php-app/composer.lock
COPY Gemfile_rails.lock /ruby-app/Gemfile.lock
COPY package-lock_react.json /node-app/package-lock.json
COPY Pipfile.lock /python-app/Pipfile.lock
COPY Cargo.lock /rust-app/Cargo.lock

Save and scan the file using the command:

 trivy config ./iac

Sample Output:

Scan-for-Docker-Image-and-Git-vulnerabilities-using-Trivy-4-1024x287

Also, Trivy offers type detection if your directory contains mixed IaC files for example:

$ ls iac/
Dockerfile  deployment.yaml  main.tf mysql-8.8.26.tar

Perform the scan:

trivy conf --severity HIGH,CRITICAL ./iac

Sample Output:

Dockerfile (dockerfile)
=======================
Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)
...

deployment.yaml (kubernetes)
============================
Tests: 28 (SUCCESSES: 15, FAILURES: 13, EXCEPTIONS: 0)
Failures: 13 (MEDIUM: 4, HIGH: 1, CRITICAL: 0)

...

main.tf (terraform)
===================
Tests: 23 (SUCCESSES: 14, FAILURES: 9, EXCEPTIONS: 0)
Failures: 9 (HIGH: 6, CRITICAL: 1)
...

bucket.yaml (cloudformation)
============================
Tests: 9 (SUCCESSES: 3, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 4, CRITICAL: 0)
...

mysql-8.8.26.tar:templates/primary/statefulset.yaml (helm)
==========================================================
Tests: 20 (SUCCESSES: 18, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)
....

It is possible to enable misconfiguration detection in a container image, filesystem, and git repository scans by adding the –security-checks config flag. For example:

##For container images
trivy image --security-checks config IMAGE_NAME

##For filesystems
trivy fs --security-checks config /path/to/dir

Closing Thoughts

We have triumphantly walked through how to scan for vulnerabilities in Docker images, filesystems, and Git repositories using Trivy. I hope this was fancy.

coffee

Gravatar Image
A systems engineer with excellent skills in systems administration, cloud computing, systems deployment, virtualization, containers, and a certified ethical hacker.