Trivy - The Container Image Scanner

GEANT TECH LLCGEANT TECH LLC
3 min read

Preamble:

Trivy is an open source single binary application written in Go and designed to find vulnerabilities, misconfigurations, secrets, SBOMs (Software Bill of Materials) in Container Images and Virtual Machine Images. It is a versatile security utility tool with built-in scanners that can look for security issues on a number of targets such as:

  • Container Images
  • Container Registries
  • Virtual Machine Images
  • Kubernetes
  • Files System
  • Software Licenses
  • Software Bill of Material
  • Amazon Cloud

A best use of Trivy is for scanning container images to ensure:

  • They are safe
  • They do not contain vulnerabilities
  • They do not bring in security risks
  • They do not violate any licensing
  • There is a generated SBOMs for all the packages installed

How To Install Trivy?

It is a straight forward process. Start by downloading and extracting the single binary application:

$ sudo wget https://github.com/aquasecurity/trivy/releases/download/v0.47.0/trivy_0.47.0_Linux-64bit.tar.gz
$ sudo tar xvzf trivy_0.47.0_Linux-64bit.tar.gz -C /usr/local/bin

Ensuring the executable flag is set on the application:

$ sudo chmod +x /usr/local/bin/trivy

Let's run the help command to validate the installation was successful:

$ trivy --help

Trivy Help View

Using Trivy to Scan a Container Images:

Trivy can scan container images for:

  • Vulnerabilities
  • Misconfigurations
  • Secrets
  • Licenses
  • SBOMs generation

By default, vulnerability and secret scanning are enabled and here is the command to run:

$ trivy image alpine:3.15

Trivy Image Scan

To scan a container image for vulnerabilities only run:

$ trivy image --scanners vuln alpine:3.15

To scan a container image for misconfigurations only run:

$ trivy image --scanners config alpine:3.15

Trivy Image Config Scan

To scan for licensing issues only run:

$ trivy image --scanners license alpine:3.15

Trivy Image License Scan

To generate SBOM, you can use the --format to specify between cyclonedx or spdx-json format:

$ trivy image --format spdx-json --output result.json alpine:3.15

$ trivy image --format cyclonedx --output result.json alpine:3.15

Trivy Vulnerability Database:

When trivy is installed on a system that has access to the Internet, it will automatically download the latest vulnerability database during execution. In air-gapped environments (no access to the Internet) trivy's vulnerability database has to be updated manually and here is the process to do so:

1.) Download the vulnerability database:

$ mkdir /tmp/trivy-vul-db
$ trivy --cache-dir /tmp/trivy-vul-db image --download-db-only
$ ls -la /tmp/trivy-vul-db/db

There should be two files: trivy.db, and metadata.json. In the next step we will copy those files to Trivy's DB cache directory in the air-gapped environment.

Trivy DB Files

2.) Put the DB file in the cache directory: The DB cache folder is usually located in /home/myuser/.cache/trivy/db. Here we will use scp for remote copy (rsync could also be used).

$ scp /tmp/trivy-vul-db/db/trivy.db  /tmp/trivy-vul-db/db/metadata.json myuser@remotehost:/home/myuser/.cache/trivy/db/

Note: If the /home/myuser/.cache/trivy/db/ folder does not exist you will have to create it before migrating the database.

3.) Now we have to run trivy with specific flags: In an air-gapped environment, you have to specify --skip-db-update and --skip-java-db-update so that Trivy doesn't attempt to download the latest database files. In addition, if you want to scan pom.xml dependencies, you need to specify --offline-scan. Here is an example:

$ trivy image --skip-db-update --skip-java-db-update --offline-scan alpine:3.12

For more on how to manage air-gapped deployment of Trivy refer to this link in the official documentation: trivy-in-air-gapped-environments

Extending Trivy's Vulnerability Database:

The Trivy Vulnerability Database has vulnerability information from NVD, Red Hat, Debian, etc. If you are one those power users who would like to extend trivy's vulnerabilities database and bring in your own, the trivy-db CLI utility is a tool used internally by the Trivy team to build and update vulnerability DBs. To learn more on how to use this tool to bring in your own curated list of vulnerabilities refer to the link: Trivy-DB-Utility

Found this useful, follow our page on: https://www.linkedin.com/company/geanttechnology

0
Subscribe to my newsletter

Read articles from GEANT TECH LLC directly inside your inbox. Subscribe to the newsletter, and don't miss out.

trivySecuritycontainersdocker imagessupplychainsecurity

Written by

GEANT TECH LLC
GEANT TECH LLC