Trivy [1] tool scanning application

1. brief introduction

Trivy Is a simple and comprehensive vulnerability / Misconfiguration / Secret scanner , For containers and other workpieces . Check the operating system package （Alpine、RHEL、CentOS etc. ） And language specific packages （Bundler、Composer、npm、yarn etc. ） A loophole in the . Besides , scanning Terraform and Kubernetes Such infrastructure is code (IaC) file , To detect potential configuration issues that put your deployment at risk of attack . Also scan hard coded secrets vyTrivyTrivyTrivy Like passwords 、API Keys and tokens . Trivy Easy to use . Just install the binaries , You can scan . All the scanning needs to do is specify a target , For example, the name of the container image name

Trivy Two types of security issues have been detected ：

• Loophole
• Misconfiguration

Trivy You can scan four different workpieces ：

• Container mirror
• File system and Rootfs
• Git The repository
• Kubernetes

Trivy It can run in two different modes ：

• Standalone
• Client/Server

Trivy It can be used as Kubernetes Operator function ：

• Kubernetes Operator

2. features

Comprehensive vulnerability detection

• Operating system package （Alpine、Red Hat Universal Base Image、Red Hat Enterprise
  Linux、CentOS、AlmaLinux、Rocky Linux、CBL-Mariner、Oracle
  Linux、Debian、Ubuntu、Amazon Linux、openSUSE Leap、SUSE Enterprise
  Linux、Photon OS and Distroless）
• Language specific packages （Bundler、Composer、Pipenv、Poetry、npm、yarn、pnpm、Cargo、NuGet、Maven
  and Go）

testing IaC Misconfiguration

• Out of the box land offers a variety of Built-in strategy ：

  • Kubernetes
  • docker
  • Terraform

• Support for custom policies

Simple

• Specify only the image name 、 contain IaC The directory or artifact name of the configuration

Fast

• The first scan will be at 10 seconds （ It depends on your network ）. The subsequent scan will be completed in a few seconds .
• It takes a long time to run with other scanners for the first time （ about 10 minute ） Getting vulnerability information and encouraging you to maintain a persistent vulnerability database are different ,Trivy It's stateless , No maintenance or preparation is required .

Simple installation

• apt-get install,yum install also brew install it is possible that （ See installation ）
• No preconditions , For example, install database 、 Kuo et al .

High accuracy

• In especial Alpine Linux and RHEL/CentOS
• Other operating systems are also very high

DevSecOps

• Apply to Travis CI、CircleCI、Jenkins、GitLab CI etc. CI.
• see also CI Example

Support multiple formats

• Container image
  • Docker Engine Local image running as a daemon in
  • Podman (>=2.0) The local image in exposes a socket
  • Docker Registry Remote mirror in , for example Docker Hub、ECR、GCR and ACR
  • Stored in docker save/podman save Format file tar The archive
  • accord with OCI Image directory in image format
• Local file system and rootfs
• long-range git Warehouse

SBOM（ Software bill of materials ） Support

• CycloneDX
• SPDX
• GitHub Dependency Snapshots

3. Scan image

trivy image nginx:1.18.0
trivy image --severity CRITICAL nginx:1.18.0
trivy image --severity CRITICAL, HIGH nginx:1.18.0
trivy image --ignore-unfixed nginx:1.18.0

# Scanning image tarball
docker save nginx:1.18.0 > nginx.tar
trivy image --input archive.tar

# Scan and output results to file
trivy image --output python_alpine.txt python:3.10.0a4-alpine
trivy image --severity HIGH --output /root/python.txt python:3.10.0a4-alpine

# Scan image tarball
trivy image --input alpine.tar --format json --output /root/alpine.json

Scan and decompress the image file system

$ docker export $(docker create alpine:3.10.2) | tar -C /tmp/rootfs -xvf -
$ trivy rootfs /tmp/rootfs

4. The embedded Dockerfile scanning

By way of Trivy The embedded Dockerfile To scan your image as part of the build process . This method can be used to update the current use Aqua Of Microscanner Of Dockerfile

$ cat Dockerfile
FROM alpine:3.7

RUN apk add curl \
    && curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin \
    && trivy rootfs --exit-code 1 --no-progress /

$ docker build -t vulnerable-image .

perhaps , You can use Trivy. Thus avoiding insecurity curl | sh. The image has not changed .

[...]
# Run vulnerability scan on build image
FROM build AS vulnscan
COPY --from=aquasec/trivy:latest /usr/local/bin/trivy /usr/local/bin/trivy
RUN trivy rootfs --exit-code 1 --no-progress /
[...]

5. Scan the file system

5.1 Independent mode

 Local projects 
trivy fs /path/to/project
trivy fs ~/src/github.com/aquasecurity/trivy-ci-test
 Single file 
trivy fs ~/src/github.com/aquasecurity/trivy-ci-test/Pipfile.lock

5.2 client/server

trivy server
trivy fs --server http://localhost:4954 --severity CRITICAL ./integration/testdata/fixtures/fs/pom/

6. scanning Rootfs

Scan the root file system （ For example, host 、 Virtual machine image or unpackaged container image file system ）

$ trivy rootfs /path/to/rootfs
$ docker run --rm -it alpine:3.11
/ # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
/ # trivy rootfs /

7. scanning git Warehouse

7.1 Scan your remote git The repository

trivy repo https://github.com/knqyf263/trivy-ci-test

7.2 Scan branch

Pass –branch With a valid branch name agrument：

$ trivy repo --branch <branch-name> <repo-name>

7.3 Scan to Commit

Pass –commit With a valid commit hash agrument：

$ trivy repo --commit <commit-hash> <repo-name>

7.4 Scan tags

Pass –tag With a valid label agrument：

$ trivy repo --tag <tag-name> <repo-name>

7.5 Scan private repositories

To scan private GitHub or GitLab The repository , Environment variables must be set separately GITHUB_TOKEN or , And use a valid token that has access to the private repository being scanned ：GITLAB_TOKEN
Environment variables will GITHUB_TOKEN Prior to the GITLAB_TOKEN, So if you want to scan private GitLab The repository , be GITHUB_TOKEN You must cancel the setting .

for example ：

$ export GITHUB_TOKEN="your_private_github_token"
$ trivy repo <your private GitHub repo URL>
$
$ # or
$ export GITLAB_TOKEN="your_private_gitlab_token"
$ trivy repo <your private GitLab repo URL>

8. Scan for misconfiguration

Just specify one that contains IaC File directory , for example Terraform、CloudFormation and Dockerfile.
Format ：trivy config [YOUR_IaC_DIRECTORY]

example

$ ls build/
Dockerfile
$ trivy config ./build
2022-05-16T13:29:29.952+0100    INFO    Detected config files: 1

Dockerfile (dockerfile)
=======================
Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

MEDIUM: Specify a tag in the 'FROM' statement for image 'alpine'
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.

See https://avd.aquasec.com/misconfig/ds001
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Dockerfile:1
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 [ FROM alpine:latest
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

You can also go through --security-checks config.

$ trivy image --security-checks config IMAGE_NAME

$ trivy fs --security-checks config /path/to/dir

And config Different subcommands image,fs and repo Subcommands can also scan vulnerabilities and secrets at the same time . You can specify --security-checks vuln,config,secret Enable vulnerability and secret detection and misconfiguration detection .

$ ls myapp/
Dockerfile Pipfile.lock
$ trivy fs --security-checks vuln,config,secret --severity HIGH,CRITICAL myapp/
2022-05-16T13:42:21.440+0100    INFO    Number of language-specific files: 1
2022-05-16T13:42:21.440+0100    INFO    Detecting pipenv vulnerabilities...
2022-05-16T13:42:21.440+0100    INFO    Detected config files: 1

Pipfile.lock (pipenv)
=====================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌──────────┬────────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│ Library  │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                           │
├──────────┼────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ httplib2 │ CVE-2021-21240 │ HIGH     │ 0.12.1            │ 0.19.0        │ python-httplib2: Regular expression denial of service via │
│          │                │          │                   │               │ malicious header                                          │
│          │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-21240                │
└──────────┴────────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

Dockerfile (dockerfile)
=======================
Tests: 17 (SUCCESSES: 16, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Last USER command in Dockerfile should not be 'root'
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Dockerfile:3
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
3 [ USER root
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

In the example above ,Trivy Detected. Python Vulnerabilities and dependencies Dockerfile Incorrect configuration in .

9. Type detection

The specified directory can contain mixed types IaC file .Trivy Automatically detect the configuration type and apply relevant policies .

for example , The following example will Terraform、CloudFormation、Kubernetes、Helm Charts and Dockerfile Of IaC The files are saved in the same directory .

$ ls iac/
Dockerfile  deployment.yaml  main.tf mysql-8.8.26.tar
$ trivy conf --severity HIGH,CRITICAL ./iac

Output ：

Dockerfile (dockerfile)
=======================
Tests: 23 (SUCCESSES: 22, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

...

deployment.yaml (kubernetes)
============================
Tests: 28 (SUCCESSES: 15, FAILURES: 13, EXCEPTIONS: 0)
Failures: 13 (MEDIUM: 4, HIGH: 1, CRITICAL: 0)

...

main.tf (terraform)
===================
Tests: 23 (SUCCESSES: 14, FAILURES: 9, EXCEPTIONS: 0)
Failures: 9 (HIGH: 6, CRITICAL: 1)

...

bucket.yaml (cloudformation)
============================
Tests: 9 (SUCCESSES: 3, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 4, CRITICAL: 0)

...

mysql-8.8.26.tar:templates/primary/statefulset.yaml (helm)
==========================================================
Tests: 20 (SUCCESSES: 18, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)

Reference resources ：

• Trivy official