Cloud Native Ecosystem / Security / Software Development

Aqua Security’s Trivy Security Scanner Can Scan Anything Now

24 May 2022 7:46am, by

VALENCIA, Spain — At KubeCon EuropeAqua Security, the cloud native security provider, announced its open source security scanner Aqua Trivy can scan pretty much anything cloud native related. Such as what? Such as source code, repositories, images, artifact registries, Infrastructure-as-Code (IaC) templates, and Kubernetes environments. I like the sound of this!

Trivy merges multiple scanning programs into a single tool. Amir Jerbi, Aqua Security’s CTO and co-founder sees this as a great move forward. “Security professionals are overwhelmed with the number of tools they are required to use and consolidating tools where possible helps teams become more efficient,” he said.

Aqua claims it’s the most comprehensive vulnerability and misconfigurations scanner available for cloud native applications and infrastructure. I don’t know if I’d go that far, but the concept’s very attractive.

After all, if my developers can do most of their scanning for security blunders with one tool, that’s a lot easier than using a hodgepodge of other programs. This makes getting your team to buy into DevSecOps much easier.

Key Features

Its features include:

  • Scan proprietary and third-party code for issues using Integrated Developer Environment (IDE) plug-ins for JetBrains, VSCode, and vim to shift security further left.
  • Generate complete software bills of materials (SBOM) to provide transparency into software components and restore visibility to risks in the software supply chain.
  • Detect sensitive hardcoded secrets, like passwords, API keys, and tokens to prevent unauthorized access by threat actors.
  • Scan running Kubernetes clusters for a full life cycle view of risks, and audit for regulatory compliance.
  • Can integrate into continuous integration/continuous deployment (CI/CD)

Trivy will run on the Alpine Linux, the Debian/Ubuntu Linux family, Red Hat Enterprise Linux (RHEL), the SUSE Linuxes, and others. It also works with CI/CD programs such as GitHub Actions, Jenkins, and GitLab CI.

Trivy Premium

Trivy is also being integrated into the Aqua Platform as Trivy Premium. With this commercial offering, you get customer support, premium content, and centralized management for enterprise scalability.

Trivy Premium also offers increased vulnerability identification accuracy, thanks to premium threat intelligence, malware scanning, and the ability to scan standalone binaries. The last are applications, which are installed directly without the use of a package manager. Within the Aqua Platform, Trivy Premium also integrates with other platform modules like Cloud Security Posture Management (CSPM) and Runtime Protection for improved cloud native application life cycle protection.

Docker Desktop Integration

In addition, Trivy was recently integrated into Docker Desktop. If you’re using Desktop already this makes it even easier to bring vulnerability and risk scanning into your workflows.

Behind Trivy stands a large cloud native security community. With over 100,000 users, and with nearly 12,000 GitHub stars, it’s arguably the most popular vulnerability and risk scanner around. If I were in your shoes, I’d give the open source Trivy a try.

If you like what you see, sign up for a free trial of Trivy Premium on the Aqua Platform at Aquasec.com.

The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Docker, Aqua Security.

Featured image by Gerd Altmann from Pixabay