Return to site

Trivy - Solution to Scan Images of Docker Vulnerabilities

A Trivy Image Scanner Guide

· DevOps

+

Docker containerization seems to be the perfect strategy to deploy yourapplication. But is it really flawless? Well, it all depends on how you buildthe strategy to deploy an application. The Container Images do have theirvulnerabilities and possess a security threat. We will have a look at thesefactors and also about a tool called Trivy to Scan a Dockerimage in detail, the topics covered in this blog are mentioned below:

Docker Image

broken image

 

A docker image is like a blueprint used to create a docker container.These images can be built on our own by defining the requirements in aDockerfile. The images have at least one layer of a base image and other layersare piled up as mentioned in the Dockerfile. Once it is created by running theDocker run command on a Dokerfile, it becomes immutable. It consists of sourcecode, tools, dependencies, libraries, and other files needed for an app to run. 

Whatis a Vulnerability?

broken image

 

Wikipediadescribes Vulnerability as a weakness that can beexploited by a threat actor, such as an attacker, to cross privilegeboundaries within a computer system. The most famous vullnerability ID is CVE (Common Vulnerability and Exposure), know everything about it from here. To add to that,some of the names of common vulnerabilities are Meltdown, Heartbleed, Shellshock, and Dirty COW. 

broken image

 

The two types of vulnerabilities are known and unknown. In detail, KnownVulnerabilities are the ones that are already found out and assignedCVE ID. Whereas the Unknown Vulnerability is where it is notdisclosed yet. Hence there are two types of scanners, a scanner identifyingcomponents with known vulnerabilities. For example Trivy, Clair, Aqua. In addition to that, we also have an unknown vulnerability scanner like OWASP ZAP, OSS-Fuzz. 

 

Docker ImageVulnerabilities 

broken image

 

We know containers are bossing a lot of the older technologies inapplication development. It indeed is exemplary and does it mean it isflawless? Nope, as per the best practices, we never should make assumptions. The Docker images do possess vulnerabilities and are not secure by default. The vulnerabilities might because of the packages installed in the image, librariesused by the user, or even the base image. Nonetheless, most of these issues areeasily resolvable. 

Thesemight be from outdated software, while thousands of images are attack tools orother potentially harmful software. To add on to that according to an analysisof 4 million images published as of 1st of December 2020. 

 

Scan Docker ImageVulnerabilities 

broken image

 

Docker image scanning is a process of identifying known securityvulnerabilities in the packages of your Docker image. This gives you theopportunity to find vulnerabilities in container images and fix them beforepushing the image to a registry or running them as a container. Docker providesus with a scan command. Inaddition to that, there are a lot of other open-source tools as well. Let uslook at how to scan the Docker Images using a tool called Trivy. 

The tools identify the package and version in the image, alsocross-references with the vulnerability database. In detail, thesevulnerabilities are platform-specific and since there are a lot of image Linuxdistros it indeed becomes a mammoth task. Not to forget, the vendor’s backportsecurity fixes too. 

 

Trivy Scanner forDocker Image Scanning 

 Trivy is an open-source and simple and comprehensive vulnerabilityScanner for containers and other artefacts. Trivy was developed in the year2019 by Aqua Security. It detects vulnerabilities of OSpackages and also application dependencies. Before pushing to a container registry or deploying your application, you can scan your local container image and other artefacts easily. Hence, this gives you the confidence that all is well with your application without more stressful configurations to use like other scanners. 

 

Features of TrivyScanner 

 Trivy holds thefollowing features that you will enjoy using it: 

 

  •  Easy installation – apt, yum, apk, Bundler, Composer, pipenv, Poetry,etc. 
  •  Highly Accurate 
  •  Detect comprehensive vulnerabilities 
  •  Simple – Specify only an image name or artefact name 
  •  Quick – The first scan will finish within 10 seconds (depending on yournetwork). As the consequent scans will finish in single seconds 
  •  DevSecOps – Appropriate for CI such as Jenkins, Travis CI, GitLab CI,etc 
  •  Support multiple formats – Including container image, local filesystem,remote git repository 

 

Installation ofTrivy Scanner 

Trivy can beinstalled in various ways, we will see how we are going to install it from ascript by running the below command: 

sudo apt-get install wget apt-transport-https gnupg lsb-release 

echo debhttps://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list 

sudoapt-get install trivy

To check run thebelow command, on successful installation you will get the following output: 

 

broken image

 

 

Scan Docker ImageUsing Trivy Scanner

Now let us scan animage for vulnerability in it. In the below scan we are going to scan an nginximage of version 1.19.6. Therefore perform the below command: 

$ trivy image nginx:1.19.6

broken image

 

As we can see fromthe above output, there are a total of 286 vulnerabilities as of the time ofscanning (UNKNOWN: 5, LOW: 140, MEDIUM: 44, HIGH: 66, CRITICAL: 31)

Let us now check fora secure image, perform the below command for the nginx image.  

$ trivy image nginx:1.19.9-alpine 

broken image

 

 

I guess you havefigured it by now, in order to scan an image of your choice using the belowcommand:  

$ trivy image [YOUR_IMAGE_NAME] 

 

Trivy as a DockerContainer 

If you were thinkingof containerizing Trivy tool, the solution to that is here. Therefore, now wewill look at how to run it as a container. Thus, let us pull the image from therepository by using the below command:  

$ docker runghcr.io/aquasecurity/trivy:latest 

 

broken image

 

Next, we will scan animage by running the Trivy tool as a docker container and check out thevulnerabilities in the latest nginx image. In order to do so, run the below commands:  

$ docker runghcr.io/aquasecurity/trivy:latest image nginx  

Open-Source DockerSecurity Tools 

Most of us know howwas the Kubernetes Cluster’s security was breached at Tesla! On the other handin container security, there are a lot of open-source tools available to examine your containers and make them rigid against attacks. But the container security is not as easy as it may sound but is a bit tricky. 

Nobody wants to runtheir application on an insecure container right? There are the commercial oneswhich are managed by the companies. On the other hand, you are in no short of the open-source tools either. Most of these tools focus on auditing, tracking CVE databases and benchmarks established by CIS, the National Vulnerability Database, and other bodies. Tools then scan the docker image, reveal its contents, and compare the contents against these manifests of known vulnerabilities. 

While there are a lotof open-source container security options to choose from, here are thebest, most mature ones with the largest user communities. 

  • Docker Bench for Security 
  • Clair 
  • Cilium 
  • Anchore 
  • OpenSCAP Workbench 

Secure DockerContainer Images 

Deploying anapplication in an insecure environment is a big no-no, hence you just cannotignore the first level of containerizing an application: The Docker Image! Therefore, take a look at some of the best practices and tips that you should follow in order to build a secure and rigid environment for application deployment. 

  •  Choosing the right base image 
  •  Remove Exploitable and Non-Essential Software 
  •  Use multi-stage builds 
  •  Rebuilding images 
  •  Scanning images during development 
  •  Scanning containers during production 
  •  Vulnerability Management 

Conclusion 

To enhance thequality of Docker Container images and avoid being exposed to knownvulnerabilities, it’s recommended to: 

  • Start scanning Docker images for such vulnerabilities. 
  • Integrate the scanning process with the release cycle of theapplications. 
  • Use the tips and best practices to craft a robust approach to imagescanning 
  • Verify and get rid of vulnerabilities in your Docker images beforepushing them to an internal or even a public registry   

For More information :  https://aquasecurity.github.io/trivy/v0.23.0/