Continuous Container Vulnerability Testing with Trivy

Reactive vs. proactive security

Proactive security with Trivy

Automated security in your CI/CD

  1. The source code dependencies.
  2. Artifacts such as Docker images. Attackers exploit vulnerabilities deep down in the application or the supporting libraries to break out from the container.
  3. Configuration files.
  4. Infrastructure code describing cloud services that power the application.

Vulnerability testing for dependencies

$ trivy fs .

Need to update DB
Downloading DB...
Number of language-specific files: 1
Detecting bundler vulnerabilities...

Gemfile.lock (bundler)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
$ trivy repo
$ trivy fs --security-checks vuln,config .

Scanning dependencies with CI/CD

sudo dpkg -i trivy_0.20.1_Linux-64bit.deb
trivy fs --exit-code 1 .
echo "46119ad9571f740201461b7529059afacb01ff74549de60bca657deba2f556cd trivy_0.20.1_Linux-64bit.deb" | shasum -c -a 256

Scanning Docker images

  1. The base image we’re building from.
  2. The Dockerfile that packages the application.
  3. The final container image.

Vulnerability testing for base images

$ trivy image ruby:2.7
# remove unneeded packages with vulnerabilities
RUN apt-get purge -y curl "libcurl*" libaom0 python3.9
RUN apt-get autoremove -y
$ docker build -t my-test-image .
$ trivy image --severity HIGH,CRITICAL my-test-image
  • Adding --ignore-unfixed to the command hides vulnerabilities that do not have a fix or patch.
  • In .trivignore we list the CVEs we want to skip.
# a libc vulnerability in the base image, currently unfixed

Vulnerability testing container images

sudo dpkg -i trivy_0.20.1_Linux-64bit.deb
docker pull "${DOCKER_USERNAME}"/semaphore-demo-ruby-kubernetes:$SEMAPHORE_WORKFLOW_ID
trivy image --severity HIGH,CRITICAL "${DOCKER_USERNAME}"/semaphore-demo-ruby-kubernetes:$SEMAPHORE_WORKFLOW_ID

Scan the Dockerfiles

$ mkdir -p audit-dockerfiles
$ cp Dockerfile* audit-dockerfiles
$ cd audit-dockerfiles
$ trivy config .
$ cd -
sudo dpkg -i trivy_0.20.1_Linux-64bit.deb
dockerdir=$(mktemp -d)
cp Dockerfile* $dockerdir
(cd $dockerdir; trivy config --exit-code 1 .)

Scan Kubernetes

Test the Infrastructure

sudo dpkg -i trivy_0.20.1_Linux-64bit.deb
cd terraform
terraform init
trivy config --exit-code 1 --severity MEDIUM,HIGH,CRITICAL .

Check Kubernetes manifests

sudo dpkg -i trivy_0.20.1_Linux-64bit.deb
k8sdir=$(mktemp -d)
cp deployment*.yml $k8sdir
(cd $k8sdir; trivy config --exit-code 1 --severity HIGH,CRITICAL .)

Extending Trivy

$ trivy plugin install

# Scan a pod
$ trivy kubectl pod mypod

# Scan a deployment
$ trivy kubectl trivy deployment mydeployment




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store