Kubernetes CKS exam tips - Trivy
Published On: 2022/04/20
Trivy is an open source tool from Aquasecurity to scan images, configurations, projects to find out the vulnerabilities. It could be included in the build pipeline to prepare production ready components and containers which are less vulnerable to the attacks.
It can scan the Git repositories, container images, report issues in the configuration files such as dockerfile, kubernets, terraform files.
How to install trivy
Trivy could be installed in Debian/Ubuntu system either using apt-get or dpkg.
- Using apt-get
Add repository setting to /etc/apt/sources.list.d.
sudo apt-get install wget apt-transport-https gnupg lsb-release wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list sudo apt-get update sudo apt-get install trivy
- Using debian package manager
wget https://github.com/aquasecurity/trivy/releases/download/v0.24.4/trivy_0.24.4_Linux-64bit.deb sudo dpkg -i trivy_0.24.4_Linux-64bit.deb
How to scan images with Trivy
Once the trivy is installed in the machine, we could scan the container images using the command
trivy image < IMAGE_NAME >
With this command it will scan the given image and print the issues in a standared text format but there is an option to change the output format to json.
trivy image < IMAGE_NAME > -f json
The trivy scan result contain issues at all levels but we could provide the severity filters to get the filtered result.
trivy image --severity HIGH,CRITICAL < IMAGE_NAME > -f json
Trivy has an ignore file ( .trivyignore ) similar to .gitignore to skip the vulnerabilites in the results.
# a libc vulnerability in the base image, currently unfixed CVE-2021-33574
How to scan Dockerfile with Trivy
Trivy can understand the Dockerfile and scanning result contain the suggestions to improve the configuration.
Place the dockerfile in a directory and run the trivy command to scan the configuration files in that directory.
trivy config .
Similarly we could scan the Terraform and Kubernetes configuration files.
How to send scan request to a remote trivy server
Trivy has cleint/server mode. The server maintains the vulnerability database and client sends the image layer details for scanning.
trivy server --listen < IP_ADDRESS >:< PORT >
Trivy client mode uses the remote server address to send the scan request.
trivy client --remote http://< IP_ADDRESS >:< PORT > alpine:3.10
Save trivy scan result to a formated html file
It would be a good idea to store trivy scanning result in an html file in case auditors demand it in html format.
trivy image --format template --template "@contrib/html.tpl" -o report.html golang:1.12-alpine
Trivy in CKS exam
CKS exam is based on kubernetes, so it would be good to learn the commands related to container image and the options that would help administrators to filter down images with specific severity values.
trivy image –severity HIGH,CRITICAL < IMAGE > trivy image –format json –severity HIGH,CRITICAL < IMAGE_NAME >
We could use the –output option to save the scan result to a file
trivy image –format json –severity HIGH,CRITICAL –output result.json < IMAGE_NAME >
In case the container image is saved as tar file then use the –input option to scan it.
docker save –output busybox.tar busybox trivy image -f json -o result.json –input busybox.tar
Learning Trivy and including it in the build pipeline is a wise move if you are using container based deployment. I have mainly used it for container scanning though it could be used for IaC, docker and kubernetes configuration files.