Trivy [2] tool vulnerability scanning

Last time we did understand trivy Installation tutorial , Next we are familiar with trviy Command scenario Application .

Trivy Is a simple and comprehensive vulnerability / Misconfiguration / Secret scanner , For containers and other workpieces . Check the operating system package （Alpine、RHEL、CentOS etc. ） And language specific packages （Bundler、Composer、npm、yarn etc. ） A loophole in the . Besides , scanning Terraform and Kubernetes Such infrastructure is code (IaC) file , To detect potential configuration issues that put your deployment at risk of attack . Also scan hard coded secrets vyTrivyTrivyTrivy Like passwords 、API Keys and tokens . Trivy Easy to use .

1. Scan image

trivy image nginx:1.18.0
trivy image --severity CRITICAL nginx:1.18.0
trivy image --severity CRITICAL, HIGH nginx:1.18.0
trivy image --ignore-unfixed nginx:1.18.0

# Scanning image tarball
docker save nginx:1.18.0 > nginx.tar
trivy image --input archive.tar

# Scan and output results to file
trivy image --output python_alpine.txt python:3.10.0a4-alpine
trivy image --severity HIGH --output /root/python.txt python:3.10.0a4-alpine

# Scan image tarball
trivy image --input alpine.tar --format json --output /root/alpine.json

Scan and decompress the image file system

$ docker export $(docker create alpine:3.10.2) | tar -C /tmp/rootfs -xvf -
$ trivy rootfs /tmp/rootfs

2. The embedded Dockerfile scanning

By way of Trivy The embedded Dockerfile To scan your image as part of the build process . This method can be used to update the current use Aqua Of Microscanner Of Dockerfile

$ cat Dockerfile
FROM alpine:3.7

RUN apk add curl \
    && curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin \
    && trivy rootfs --exit-code 1 --no-progress /

$ docker build -t vulnerable-image .

perhaps , You can use Trivy. Thus avoiding insecurity curl | sh. The image has not changed .

[...]
# Run vulnerability scan on build image
FROM build AS vulnscan
COPY --from=aquasec/trivy:latest /usr/local/bin/trivy /usr/local/bin/trivy
RUN trivy rootfs --exit-code 1 --no-progress /
[...]

3. Scan the file system

3.1 Independent mode

 Local projects 
trivy fs /path/to/project
trivy fs ~/src/github.com/aquasecurity/trivy-ci-test
 Single file 
trivy fs ~/src/github.com/aquasecurity/trivy-ci-test/Pipfile.lock

3.2 client/server

trivy server
trivy fs --server http://localhost:4954 --severity CRITICAL ./integration/testdata/fixtures/fs/pom/

3. scanning Rootfs

Scan the root file system （ For example, host 、 Virtual machine image or unpackaged container image file system ）

$ trivy rootfs /path/to/rootfs
$ docker run --rm -it alpine:3.11
/ # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
/ # trivy rootfs /

4. scanning git Warehouse

4.1 Scan your remote git The repository

trivy repo https://github.com/knqyf263/trivy-ci-test

4.2 Scan branch

Pass –branch With a valid branch name agrument：

$ trivy repo --branch <branch-name> <repo-name>

4.3 Scan to Commit

Pass –commit With a valid commit hash agrument：

$ trivy repo --commit <commit-hash> <repo-name>

4.4 Scan tags

Pass –tag With a valid label agrument：

$ trivy repo --tag <tag-name> <repo-name>

4.5 Scan private repositories

To scan private GitHub or GitLab The repository , Environment variables must be set separately GITHUB_TOKEN or , And use a valid token that has access to the private repository being scanned ：GITLAB_TOKEN
Environment variables will GITHUB_TOKEN Prior to the GITLAB_TOKEN, So if you want to scan private GitLab The repository , be GITHUB_TOKEN You must cancel the setting .

for example ：

$ export GITHUB_TOKEN="your_private_github_token"
$ trivy repo <your private GitHub repo URL>
$
$ # or
$ export GITLAB_TOKEN="your_private_gitlab_token"
$ trivy repo <your private GitLab repo URL>

5. Scan for misconfiguration

Just specify one that contains IaC File directory , for example Terraform、CloudFormation and Dockerfile.
Format ：trivy config [YOUR_IaC_DIRECTORY]

example

$ ls build/
Dockerfile
$ trivy config ./build
2022-05-16T13:29:29.952+0100    INFO    Detected config files: 1

Dockerfile (dockerfile)
=======================
Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

MEDIUM: Specify a tag in the 'FROM' statement for image 'alpine'
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.

See https://avd.aquasec.com/misconfig/ds001
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Dockerfile:1
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 [ FROM alpine:latest
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

You can also go through --security-checks config.

$ trivy image --security-checks config IMAGE_NAME

$ trivy fs --security-checks config /path/to/dir

And config Different subcommands image,fs and repo Subcommands can also scan vulnerabilities and secrets at the same time . You can specify --security-checks vuln,config,secret Enable vulnerability and secret detection and misconfiguration detection .

$ ls myapp/
Dockerfile Pipfile.lock
$ trivy fs --security-checks vuln,config,secret --severity HIGH,CRITICAL myapp/
2022-05-16T13:42:21.440+0100    INFO    Number of language-specific files: 1
2022-05-16T13:42:21.440+0100    INFO    Detecting pipenv vulnerabilities...
2022-05-16T13:42:21.440+0100    INFO    Detected config files: 1

Pipfile.lock (pipenv)
=====================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌──────────┬────────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│ Library  │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                           │
├──────────┼────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ httplib2 │ CVE-2021-21240 │ HIGH     │ 0.12.1            │ 0.19.0        │ python-httplib2: Regular expression denial of service via │
│          │                │          │                   │               │ malicious header                                          │
│          │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-21240                │
└──────────┴────────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

Dockerfile (dockerfile)
=======================
Tests: 17 (SUCCESSES: 16, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Last USER command in Dockerfile should not be 'root'
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Dockerfile:3
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
3 [ USER root
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

In the example above ,Trivy Detected. Python Vulnerabilities and dependencies Dockerfile Incorrect configuration in .

6. Type detection

The specified directory can contain mixed types IaC file .Trivy Automatically detect the configuration type and apply relevant policies .

for example , The following example will Terraform、CloudFormation、Kubernetes、Helm Charts and Dockerfile Of IaC The files are saved in the same directory .

$ ls iac/
Dockerfile  deployment.yaml  main.tf mysql-8.8.26.tar
$ trivy conf --severity HIGH,CRITICAL ./iac

Output ：

Dockerfile (dockerfile)
=======================
Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

...

deployment.yaml (kubernetes)
============================
Tests: 28 (SUCCESSES: 15, FAILURES: 13, EXCEPTIONS: 0)
Failures: 13 (MEDIUM: 4, HIGH: 1, CRITICAL: 0)

...

main.tf (terraform)
===================
Tests: 23 (SUCCESSES: 14, FAILURES: 9, EXCEPTIONS: 0)
Failures: 9 (HIGH: 6, CRITICAL: 1)

...

bucket.yaml (cloudformation)
============================
Tests: 9 (SUCCESSES: 3, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 4, CRITICAL: 0)

...

mysql-8.8.26.tar:templates/primary/statefulset.yaml (helm)
==========================================================
Tests: 20 (SUCCESSES: 18, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)

We will introduce it in the next article trivy utilize rego Language writing custom policies .
Reference resources ：

• Trivy official