Continuous Container Vulnerability Testing with Trivy

Reactive vs. proactive security

Proactive security with Trivy

Automated security in your CI/CD

  1. The source code dependencies.
  2. Artifacts such as Docker images. Attackers exploit vulnerabilities deep down in the application or the supporting libraries to break out from the container.
  3. Configuration files.
  4. Infrastructure code describing cloud services that power the application.

Vulnerability testing for dependencies

$ trivy fs .

Need to update DB
Downloading DB...
Number of language-specific files: 1
Detecting bundler vulnerabilities...

Gemfile.lock (bundler)
======================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
$ trivy repo https://github.com/knqyf263/trivy-ci-test
$ trivy fs --security-checks vuln,config .

Scanning dependencies with CI/CD

wget https://github.com/aquasecurity/trivy/releases/download/v0.20.1/trivy_0.20.1_Linux-64bit.deb
sudo dpkg -i trivy_0.20.1_Linux-64bit.deb
checkout
trivy fs --exit-code 1 .
echo "46119ad9571f740201461b7529059afacb01ff74549de60bca657deba2f556cd trivy_0.20.1_Linux-64bit.deb" | shasum -c -a 256

Scanning Docker images

  1. The base image we’re building from.
  2. The Dockerfile that packages the application.
  3. The final container image.

Vulnerability testing for base images

$ trivy image ruby:2.7
# remove unneeded packages with vulnerabilities
RUN apt-get purge -y curl "libcurl*" libaom0 python3.9
RUN apt-get autoremove -y
$ docker build -t my-test-image .
$ trivy image --severity HIGH,CRITICAL my-test-image
  • Adding --ignore-unfixed to the command hides vulnerabilities that do not have a fix or patch.
  • In .trivignore we list the CVEs we want to skip.
# a libc vulnerability in the base image, currently unfixed
CVE-2021-33574

Vulnerability testing container images

wget https://github.com/aquasecurity/trivy/releases/download/v0.20.1/trivy_0.20.1_Linux-64bit.deb
sudo dpkg -i trivy_0.20.1_Linux-64bit.deb
checkout
docker pull "${DOCKER_USERNAME}"/semaphore-demo-ruby-kubernetes:$SEMAPHORE_WORKFLOW_ID
trivy image --severity HIGH,CRITICAL "${DOCKER_USERNAME}"/semaphore-demo-ruby-kubernetes:$SEMAPHORE_WORKFLOW_ID

Scan the Dockerfiles

$ mkdir -p audit-dockerfiles
$ cp Dockerfile* audit-dockerfiles
$ cd audit-dockerfiles
$ trivy config .
$ cd -
wget https://github.com/aquasecurity/trivy/releases/download/v0.20.1/trivy_0.20.1_Linux-64bit.deb
sudo dpkg -i trivy_0.20.1_Linux-64bit.deb
checkout
dockerdir=$(mktemp -d)
cp Dockerfile* $dockerdir
(cd $dockerdir; trivy config --exit-code 1 .)

Scan Kubernetes

Test the Infrastructure

wget https://github.com/aquasecurity/trivy/releases/download/v0.20.1/trivy_0.20.1_Linux-64bit.deb
sudo dpkg -i trivy_0.20.1_Linux-64bit.deb
checkout
cd terraform
terraform init
trivy config --exit-code 1 --severity MEDIUM,HIGH,CRITICAL .

Check Kubernetes manifests

wget https://github.com/aquasecurity/trivy/releases/download/v0.20.1/trivy_0.20.1_Linux-64bit.deb
sudo dpkg -i trivy_0.20.1_Linux-64bit.deb
checkout
k8sdir=$(mktemp -d)
cp deployment*.yml $k8sdir
(cd $k8sdir; trivy config --exit-code 1 --severity HIGH,CRITICAL .)

Extending Trivy

$ trivy plugin install github.com/aquasecurity/trivy-plugin-kubectl

# Scan a pod
$ trivy kubectl pod mypod

# Scan a deployment
$ trivy kubectl trivy deployment mydeployment

Conclusion

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store