Trivy is an open source tool from Aquasecurity to scan images, configurations, projects to find out the vulnerabilities. It could be included in the build pipeline to prepare production ready components and containers which are less vulnerable to the attacks.

It can scan the Git repositories, container images, report issues in the configuration files such as dockerfile, kubernets, terraform files.

How to install trivy

Trivy could be installed in Debian/Ubuntu system either using apt-get or dpkg.

• Using apt-get Add repository setting to /etc/apt/sources.list.d.

  sudo apt-get install wget apt-transport-https gnupg lsb-release
  wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
  echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
  sudo apt-get update
  sudo apt-get install trivy

• Using debian package manager

  wget https://github.com/aquasecurity/trivy/releases/download/v0.24.4/trivy_0.24.4_Linux-64bit.deb
  sudo dpkg -i trivy_0.24.4_Linux-64bit.deb

How to scan images with Trivy

Once the trivy is installed in the machine, we could scan the container images using the command

trivy image < IMAGE_NAME >

trivy image < IMAGE_NAME > -f json

trivy image --severity HIGH,CRITICAL < IMAGE_NAME > -f json

Trivy has an ignore file ( .trivyignore ) similar to .gitignore to skip the vulnerabilites in the results.

# a libc vulnerability in the base image, currently unfixed
CVE-2021-33574

How to scan Dockerfile with Trivy

Trivy can understand the Dockerfile and scanning result contain the suggestions to improve the configuration.

Place the dockerfile in a directory and run the trivy command to scan the configuration files in that directory.

trivy config .

How to send scan request to a remote trivy server

Trivy has cleint/server mode. The server maintains the vulnerability database and client sends the image layer details for scanning.

trivy server --listen < IP_ADDRESS >:< PORT >

trivy client --remote http://< IP_ADDRESS >:< PORT > alpine:3.10

Save trivy scan result to a formated html file

It would be a good idea to store trivy scanning result in an html file in case auditors demand it in html format.

trivy image --format template --template "@contrib/html.tpl" -o report.html golang:1.12-alpine

Trivy in CKS exam

CKS exam is based on kubernetes, so it would be good to learn the commands related to container image and the options that would help administrators to filter down images with specific severity values.

trivy image –severity HIGH,CRITICAL < IMAGE > trivy image –format json –severity HIGH,CRITICAL < IMAGE_NAME >

We could use the –output option to save the scan result to a file

trivy image –format json –severity HIGH,CRITICAL –output result.json < IMAGE_NAME >

In case the container image is saved as tar file then use the –input option to scan it.

docker save –output busybox.tar busybox trivy image -f json -o result.json –input busybox.tar

Conclusion

Learning Trivy and including it in the build pipeline is a wise move if you are using container based deployment. I have mainly used it for container scanning though it could be used for IaC, docker and kubernetes configuration files.