The amazing features brought by Trivy are:<\/p>\n\n\n\n
- Simple<\/strong>: using Trivy only involves specifying an image name, a directory containing IaC configs, or an artifact name<\/li>
- Easy installation<\/strong>: It can be installed easily from apt, yum, brew, or docker hub. Also, no prerequisites such as database, system libraries e.t.c are required.<\/li>
- High accuracy:<\/strong> It offers high accuracy, especially on Alpine Linux and RHEL\/CentOS, other OSes are also high.<\/li>
- Support multiple targets:<\/strong> it can be used to scan container images, local filesystem, and remote git repository<\/li>
- Fast<\/strong>: Its first scan takes less than 10 seconds depending on your internet speed. Then the other scans finish in a single second.<\/li>
- Detect IaC misconfigurations<\/strong>: It has a wide variety of built-in policies that can be used to detect misconfigurations on Kubernetes, Terraform, Docker e.t.c<\/li><\/ul>\n\n\n\n
In this guide, we will learn how to scan for Docker Image and Git vulnerabilities using Trivy.<\/p>\n\n\n\n
Install Trivy on Your System<\/h2>\n\n\n\n
Trivy can be installed on different platforms. This involves adding the Trivy repositories to the system and then installing it via the package manager.<\/p>\n\n\n\n
1. Install Trivy on RHEL\/CentOS \/ Rocky<\/h3>\n\n\n\n
Add the repository using the command:<\/p>\n\n\n\n
RELEASE_VERSION=$(grep -Po '(?<=VERSION_ID=\")[0-9]' \/etc\/os-release)\ncat << EOF | sudo tee -a \/etc\/yum.repos.d\/trivy.repo\n[trivy]\nname=Trivy repository\nbaseurl=https:\/\/aquasecurity.github.io\/trivy-repo\/rpm\/releases\/$RELEASE_VERSION\/\\$basearch\/\ngpgcheck=0\nenabled=1\nEOF<\/code><\/pre>\n\n\n\nOnce added, install Trivy using the command:<\/p>\n\n\n\n
sudo yum -y install trivy<\/code><\/pre>\n\n\n\nAlternatively, you can install Trivy using an RPM package obtained from the Github Release page<\/a><\/p>\n\n\n\n
sudo yum -y install wget curl\nVER=$(curl -s https:\/\/api.github.com\/repos\/aquasecurity\/trivy\/releases\/latest|grep tag_name|cut -d '\"' -f 4|sed 's\/v\/\/')\nwget https:\/\/github.com\/aquasecurity\/trivy\/releases\/download\/v${VER}\/trivy_${VER}_Linux-64bit.rpm\nsudo rpm -Uvh .\/trivy_${VER}_Linux-64bit.rpm<\/code><\/pre>\n\n\n\n2. Install Trivy on Debian\/Ubuntu<\/h3>\n\n\n\n
The Trivy repository can be added to Debian\/Ubuntu systems using the commands:<\/p>\n\n\n\n
sudo apt install wget apt-transport-https gnupg lsb-release\nwget -qO - https:\/\/aquasecurity.github.io\/trivy-repo\/deb\/public.key | sudo apt-key add -\necho deb https:\/\/aquasecurity.github.io\/trivy-repo\/deb $(lsb_release -sc) main | sudo tee \/etc\/apt\/sources.list.d\/trivy.list<\/code><\/pre>\n\n\n\nNow update the APT package index and install Trivy:<\/p>\n\n\n\n
sudo apt update\nsudo apt install trivy<\/code><\/pre>\n\n\n\nYou can also use a DEB package obtained from the Github Release page<\/a>.<\/p>\n\n\n\n
VER=$(curl -s https:\/\/api.github.com\/repos\/aquasecurity\/trivy\/releases\/latest|grep tag_name|cut -d '\"' -f 4|sed 's\/v\/\/')\nwget https:\/\/github.com\/aquasecurity\/trivy\/releases\/download\/v${VER}\/trivy_${VER}_Linux-64bit.deb\nsudo dpkg -i trivy_${VER}_Linux-64bit.deb<\/code><\/pre>\n\n\n\n3. Install Trivy on Arch Linux<\/h3>\n\n\n\n
Trivy can be installed on Arch Linux from the Arch User Repository as shown:<\/p>\n\n\n\n
- yay<\/strong><\/li><\/ul>\n\n\n\n
yay -Sy trivy-bin<\/code><\/pre>\n\n\n\n- pikaur<\/strong><\/li><\/ul>\n\n\n\n
pikaur -Sy trivy-bin<\/code><\/pre>\n\n\n\n4. Homebrew<\/h3>\n\n\n\n
Homebrew provided Trivy packages for installation on both macOS and Linux systems. You can use the command below to install Trivy from Homebrew:<\/p>\n\n\n\n
brew install aquasecurity\/trivy\/trivy<\/code><\/pre>\n\n\n\nScanning For Vulnerabilities using Trivy<\/h2>\n\n\n\n
Once Trivy has been installed, it can be used to perform vulnerability scanning on:<\/p>\n\n\n\n
- Container Images<\/li>
- Filesystem<\/li>
- Git Repositories<\/li><\/ul>\n\n\n\n
The below steps can be used to perform any of the mentioned scans.<\/p>\n\n\n\n
A. Scanning Container Images Vulnerabilities using Trivy<\/h3>\n\n\n\n
Trivy Can be used to scan container images using a simple command bearing the below syntax.<\/p>\n\n\n\n
trivy image [YOUR_IMAGE_NAME]<\/code><\/pre>\n\n\n\nFor example:<\/p>\n\n\n\n
trivy image python:3.4-alpine<\/code><\/pre>\n\n\n\nSample Output:<\/p>\n\n\n\n
![\"\"](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2022\/07\/Scan-for-Docker-Image-and-Git-vulnerabilities-using-Trivy-1024x559.png\" "\\"\\"")
<\/figure>\n\n\n\nYou can also use TAR files for example:<\/p>\n\n\n\n
docker pull ruby:3.1-alpine3.15\ndocker save ruby:3.1-alpine3.15 -o ruby-3.1.tar\ntrivy image --input ruby-3.1.tar<\/code><\/pre>\n\n\n\nSample Output:<\/p>\n\n\n\n
![\"\"](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2022\/07\/Scan-for-Docker-Image-and-Git-vulnerabilities-using-Trivy-1-1024x533.png\" "\\"\\"")
<\/figure>\n\n\n\nB. Scanning Filesystem Vulnerabilities using Trivy<\/h3>\n\n\n\n
The command used for this has the syntax:<\/p>\n\n\n\n
trivy fs \/path\/to\/project<\/code><\/pre>\n\n\n\nFor example, scanning a local project with language-specific files:<\/p>\n\n\n\n
git clone https:\/\/github.com\/aquasecurity\/trivy-ci-test.git \ntrivy fs trivy-ci-test<\/code><\/pre>\n\n\n\nSample Output:<\/p>\n\n\n\n
![\"\"](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2022\/07\/Scan-for-Docker-Image-and-Git-vulnerabilities-using-Trivy-2-1024x571.png\" "\\"\\"")
<\/figure>\n\n\n\nYou can also scan a single file in the project, say Pipfile.lock<\/strong> using the command:<\/p>\n\n\n\n
trivy fs trivy-ci-test\/Pipfile.lock<\/code><\/pre>\n\n\n\nScanning for Git Repository Vulnerabilities using Trivy<\/h3>\n\n\n\n
To scan vulnerabilities on a Git Repository, the command with the below syntax is used:<\/p>\n\n\n\n
trivy repo https:\/\/github.com\/knqyf263\/trivy-ci-test<\/em><\/code><\/pre>\n\n\n\nReplace https:\/\/github.com\/knqyf263\/trivy-ci-test<\/strong><\/em> with the Git repo name. <\/p>\n\n\n\n
Execution output:<\/p>\n\n\n\n
![\"\"](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2022\/07\/Scan-for-Docker-Image-and-Git-vulnerabilities-using-Trivy-3-1024x559.png\" "\\"\\"")
<\/figure>\n\n\n\nTo be able to scan a private Git repo, you need to specify your GITHUB_TOKEN<\/strong><\/em> or GITLAB_TOKEN<\/em> <\/strong>environment variables. This token must be valid to be able to access and scan the repository:<\/p>\n\n\n\n
For example:<\/p>\n\n\n\n
##For GITHUB##\n<\/mark><\/em>export GITHUB_TOKEN=\"your_private_github_token<\/em><\/mark>\"\ntrivy repo <your private GitHub repo URL><\/mark><\/em>\n\n##For GITLAB##\n<\/mark><\/em>export GITLAB_TOKEN=\"your_private_gitlab_token<\/em><\/mark>\"\ntrivy repo <your private GitLab repo URL><\/mark><\/em><\/code><\/pre>\n\n\n\nOnce exported, you will realize that the command to scan the repo is similar to the one above.<\/p>\n\n\n\n
Misconfiguration Scanning with Trivy<\/h2>\n\n\n\n
Aside from scanning vulnerabilities, you can use Trivy to scan misconfigurations in Docker, Kubernetes, Terraform, and CloudFormation. It is also possible to write your own policies in Rego<\/a> that will be used to scan your JSON, YAML e.t.c files<\/p>\n\n\n\n
The command with the below syntax is used here:<\/p>\n\n\n\n
trivy config [YOUR_IaC_DIRECTORY]<\/mark><\/em><\/code><\/pre>\n\n\n\nFor example, scanning a Dockerfile:<\/p>\n\n\n\n
mkdir iac \nvim iac\/Dockerfile<\/code><\/pre>\n\n\n\nAdd the below lines to the file:<\/p>\n\n\n\n
FROM composer:1.7.2\nCOPY composer_laravel.lock \/php-app\/composer.lock\nCOPY Gemfile_rails.lock \/ruby-app\/Gemfile.lock\nCOPY package-lock_react.json \/node-app\/package-lock.json\nCOPY Pipfile.lock \/python-app\/Pipfile.lock\nCOPY Cargo.lock \/rust-app\/Cargo.lock<\/code><\/pre>\n\n\n\nSave and scan the file using the command:<\/p>\n\n\n\n
trivy config .\/iac<\/code><\/pre>\n\n\n\nSample Output:<\/p>\n\n\n\n
![\"\"](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2022\/07\/Scan-for-Docker-Image-and-Git-vulnerabilities-using-Trivy-4-1024x287.png\" "\\"\\"")
<\/figure>\n\n\n\nAlso, Trivy offers type detection if your directory contains mixed IaC<\/em> files for example:<\/p>\n\n\n\n
$ ls iac\/<\/mark>\nDockerfile deployment.yaml main.tf mysql-8.8.26.tar<\/code><\/pre>\n\n\n\nPerform the scan:<\/p>\n\n\n\n
trivy conf --severity HIGH,CRITICAL .\/iac<\/code><\/pre>\n\n\n\nSample Output:<\/p>\n\n\n\n
Dockerfile (dockerfile)\n<\/em>=======================\nTests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)\nFailures: 1 (HIGH: 1, CRITICAL: 0)\n...\n\ndeployment.yaml (kubernetes)\n<\/em>============================\nTests: 28 (SUCCESSES: 15, FAILURES: 13, EXCEPTIONS: 0)\nFailures: 13 (MEDIUM: 4, HIGH: 1, CRITICAL: 0)\n\n...\n\nmain.tf (terraform)\n<\/em>===================\nTests: 23 (SUCCESSES: 14, FAILURES: 9, EXCEPTIONS: 0)\nFailures: 9 (HIGH: 6, CRITICAL: 1)\n...\n\nbucket.yaml (cloudformation)\n<\/em>============================\nTests: 9 (SUCCESSES: 3, FAILURES: 6, EXCEPTIONS: 0)\nFailures: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 4, CRITICAL: 0)\n...\n\nmysql-8.8.26.tar:templates\/primary\/statefulset.yaml (helm)\n<\/em>==========================================================\nTests: 20 (SUCCESSES: 18, FAILURES: 2, EXCEPTIONS: 0)\nFailures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)\n....<\/code><\/pre>\n\n\n\nIt is possible to enable misconfiguration detection in a container image, filesystem, and git repository scans by adding the –security-checks<\/em><\/strong> config flag. For example:<\/p>\n\n\n\n
##For container images\n<\/mark><\/em>trivy image --security-checks config IMAGE_NAME<\/mark><\/em>\n\n##For filesystems\n<\/mark><\/em>trivy fs --security-checks config \/path\/to\/dir<\/mark><\/em><\/code><\/pre>\n\n\n\nClosing Thoughts<\/h2>\n\n\n\n
We have triumphantly walked through how to scan for vulnerabilities in Docker images, filesystems, and Git repositories using Trivy. I hope this was fancy.<\/p>\n\n\n\n
Related posts:<\/p>\n\n\n\n
- Install Nessus Vulnerability Scanner on Debian<\/a><\/li>
- Install and Use WPScan – WordPress security scanner<\/a><\/li>
- Scan PHP|JavaScript|C#|HTML using Sonar Scanner and Jenkins<\/a><\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"
Docker images play the biggest role in spinning containers. This serves as the perfect way to deploy an application. This can be really flawless depending on the strategy used to build your container image. Container images with vulnerabilities can cause a security threat to the application. Usually, a docker image is built from a Dockerfile … Read more<\/a><\/p>\n","protected":false},"author":21,"featured_media":77804,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[316,299,50,75],"tags":[37864,37865],"class_list":["post-120743","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-containers","category-how-to","category-linux-tutorials","category-security","tag-trivy","tag-vulnerabilities-using-trivy"],"_links":{"self":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts\/120743","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/users\/21"}],"replies":[{"embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/comments?post=120743"}],"version-history":[{"count":1,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts\/120743\/revisions"}],"predecessor-version":[{"id":164235,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts\/120743\/revisions\/164235"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/media\/77804"}],"wp:attachment":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/media?parent=120743"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/categories?post=120743"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/tags?post=120743"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Install and Use WPScan – WordPress security scanner<\/a><\/li>
- Install Nessus Vulnerability Scanner on Debian<\/a><\/li>
- pikaur<\/strong><\/li><\/ul>\n\n\n\n
- Easy installation<\/strong>: It can be installed easily from apt, yum, brew, or docker hub. Also, no prerequisites such as database, system libraries e.t.c are required.<\/li>