Kubernetes CKS exam tips - Trivy

Published On: 2022/04/20

Trivy is an open source tool from Aquasecurity to scan images, configurations, projects to find out the vulnerabilities. It could be included in the build pipeline to prepare production ready components and containers which are less vulnerable to the attacks.

It can scan the Git repositories, container images, report issues in the configuration files such as dockerfile, kubernets, terraform files.

How to install trivy

Trivy could be installed in Debian/Ubuntu system either using apt-get or dpkg.

  • Using apt-get Add repository setting to /etc/apt/sources.list.d.
    sudo apt-get install wget apt-transport-https gnupg lsb-release
    wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
    echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
    sudo apt-get update
    sudo apt-get install trivy
  • Using debian package manager
    wget https://github.com/aquasecurity/trivy/releases/download/v0.24.4/trivy_0.24.4_Linux-64bit.deb
    sudo dpkg -i trivy_0.24.4_Linux-64bit.deb

How to scan images with Trivy

Once the trivy is installed in the machine, we could scan the container images using the command

trivy image < IMAGE_NAME >

With this command it will scan the given image and print the issues in a standared text format but there is an option to change the output format to json.
trivy image < IMAGE_NAME > -f json

The trivy scan result contain issues at all levels but we could provide the severity filters to get the filtered result.
trivy image --severity HIGH,CRITICAL < IMAGE_NAME > -f json

Trivy has an ignore file ( .trivyignore ) similar to .gitignore to skip the vulnerabilites in the results.

# a libc vulnerability in the base image, currently unfixed

How to scan Dockerfile with Trivy

Trivy can understand the Dockerfile and scanning result contain the suggestions to improve the configuration.

Place the dockerfile in a directory and run the trivy command to scan the configuration files in that directory.

trivy config .

Similarly we could scan the Terraform and Kubernetes configuration files.

How to send scan request to a remote trivy server

Trivy has cleint/server mode. The server maintains the vulnerability database and client sends the image layer details for scanning.

trivy server --listen < IP_ADDRESS >:< PORT >

Trivy client mode uses the remote server address to send the scan request.
trivy client --remote http://< IP_ADDRESS >:< PORT > alpine:3.10

Save trivy scan result to a formated html file

It would be a good idea to store trivy scanning result in an html file in case auditors demand it in html format.

trivy image --format template --template "@contrib/html.tpl" -o report.html golang:1.12-alpine

Trivy in CKS exam

CKS exam is based on kubernetes, so it would be good to learn the commands related to container image and the options that would help administrators to filter down images with specific severity values.

trivy image –severity HIGH,CRITICAL < IMAGE > trivy image –format json –severity HIGH,CRITICAL < IMAGE_NAME >

We could use the –output option to save the scan result to a file

trivy image –format json –severity HIGH,CRITICAL –output result.json < IMAGE_NAME >

In case the container image is saved as tar file then use the –input option to scan it.

docker save –output busybox.tar busybox trivy image -f json -o result.json –input busybox.tar


Learning Trivy and including it in the build pipeline is a wise move if you are using container based deployment. I have mainly used it for container scanning though it could be used for IaC, docker and kubernetes configuration files.

comments powered by Disqus