Vulnerability Scanning with Trivy
Hi Folks, here I am going to share my experiences on vulnerability scanning using Trivy. Trivy is an open-source vulnerability scanner used for scanning container images, file systems, and git repositories. First and for most,
What is Vulnerability?
As per Wikipedia, “In computer security, a vulnerability is a weakness which can be exploited by a threat actor, such as an attacker, to cross privilege boundaries (i.e. perform unauthorized actions) within a computer system.”
As shown in the above diagram, OS packages and language specific dependencies are scanned when the Trivy is used to scan both container images and file systems. Additionally, Trivy can be used to scan the vulnerabilities of remote git repositories. After executing the security scan, a detail report on all the vulnerable packages are list down along with the respective CVEs and fixed versions of the packages if available. Let’s try it out.
You can easily install Trivy depending on your OS and check this for more info. For homebrew users, just execute the following command.
brew install aquasecurity/trivy/trivy
2. Run the vulnerability scan
As discussed earlier, the scan can be carried out on container images, file systems and git repositories. Let’s see the basic commands to be executed for each scenarios and what is happening behind the scene.
- Container Images
trivy image [image-name]
- File systems
trivy fs /path/to/project
- Git repository
trivy repo [github-repo-url]
As shown in above diagrams, when the scan is started, a database (trivy-db) consists of known vulnerabilities will be downloaded to cross check the installed packages of your application and finally output a summary of the security issues as shown in above diagrams. You can skip downloading the vulnerability database by the flag
--skip-update if you have recent copy of it.
trivy repo --skip-update [github-repo-url]
Also there can be large file systems or repositories to be scanned which caused exceeding the upper limit of open file descriptors. In that case you can set the ulimit by
ulimit -n 1024 . The vulnerabilities can be catagorized based on the severity of them like critical, high, medium etc. The Trivy scanner also output the vulnerabilities accordingly and we can filter out the vulnerabilities according to the severity by the flag
--severity HIGH,CRITICAL .
trivy repo --severity HIGH, CRITICAL [github-repo-url]
The Trivy scanner traverse through the directories and files of the given file system and it could be configured to skip files or directories if needed.
trivy repo --skip-files "file1" --skip-files "file2" --skip-dirs "dir1" --skip-dirs "dir2" [github-repo-url]
The Trivy scanner exit with code 0 by default and it can be configured the exit code as 1 only if critical vulnerability is detected as follows. These type of configurations are useful when integrating the Trivy scanner with CI/CD pipelines.
trivy repo --exit-code 1 --severity CRITICAL [github-repo-url]
The output report format could be configured to be as tabular (default), json or custom template.
- Tabular format on the terminal.
trivy repo -f table [repo-url]
- JSON output
trivy repo -f json -o results.json [repo-url]
- Custom template.
trivy repo --format template --template "@html.tpl" -o report.html [repo-url]
Find the “html.tpl” file from here.
There are lot more we can do with Trivy scanner like scanning configurations files like IaC files for detecting misconfigurations.
trivy config [path to IaC files]
Hope you got basic understanding of vulnerability scanning with Trivy and its additional customisations to get most out of the information revealed through these scans. Also there are integrations with IDEs, CI tools and many more explained in the Trivy official documentation. Finally, As developers, you have to be heads up on vulnerabilities exposed through 3rd party dependencies as it could result in sever security breeches.