Modal Title
Containers / Security

Check for Container Image Vulnerabilities with Trivy

Trivy, a command line vulnerability scanning tool for container images, should be considered for anyone depending on containerized applications and services.
Mar 18th, 2023 6:00am by
Featued image for: Check for Container Image Vulnerabilities with Trivy

Security should be one of the most important aspects of container deployments, especially for enterprise production environments that depend on highly scaled applications and services that will not only see massive demand but that will also interact with other services, servers, APIs, etc.

If you skimp on security, you could leave your company open to hacking. All it takes is one hacker gaining access to a single container and they could wind up with the keys to your kingdom.

You don’t want that.

The thing is security has to start from the ground up, otherwise, everything is susceptible. Think of it this way: You cannot build a house on a foundation with cracks, holes, and other vulnerabilities and expect it to be secure. Eventually, that house could crumble. Containers are the same way. If you build them on a foundation with vulnerabilities, there’s no way they’ll be secure.

In other words, the images you use to deploy your containerized application must be vulnerability free.

How do you know if an image contains vulnerabilities? You scan it. How do you scan a container image for vulnerabilities? With a tool like Trivy, first developed by Aqua Security.

Trivy is a command line tool that scans container images for vulnerabilities. Trivy can scan images, file systems, and even Git Repositories, outputting any and all vulnerabilities contained within. A tool like this should be considered an absolute must for any container developer or business that depends on containerized applications and services.

I’m going to show you how Trivy is installed and used on Ubuntu Server 22.04. Do know, however, that Trivy can be installed on the following platforms:

  • Ubuntu
  • RHEL
  • Debian
  • Arch Linux
  • macOS (via Homebrew)
  • Via Docker or Helm

Let’s get to it.

Requirements

For this tutorial, you’ll need a running instance of Docker Server 22.04 and a user with sudo privileges. That’s it. Time to get to work.

How to Install Docker

If you don’t already have Docker installed, let’s do it now.

First, install the necessary dependencies with the command:


Next, add the official Docker GPG key with the command:


Add the Docker repository with the following command:


Update apt with:


Install Docker with the command:


Next, you must add your user to the docker group with the command:


Log out and log back in for the changes to take effect.

How to install Trivy

We can now install Trivy. First download and add the Aqua Security GPG key with:


Add the Aqua Security repository with the following command:


Update apt with:


Install Trivy with the command:

How to Use Trivy

Using Trivy is quite simple. First, we’re going to pull down an image to test. For our first test, we’ll pull down the image for python:3.4-alpine. Do this with the command:


Once the image has finished being pulled, run Trivy against it with the command:


Trivy will immediately go to work and begin outputting any vulnerabilities it finds. As you can see (Figure 1), Trivy found a number of vulnerabilities, including some marked MEDIUM, HIGH, and CRITICAL.

Figure 1: The output of a Trivy run against a Python image.

The output will include a vulnerability CVE number and a bit of information about it, as well as a link for even more information and (in some cases) steps to mitigate the issue.

Let’s run another test, this time on the latest Ubuntu image. Pull the image with:


Run the scan with:


This time, Trivy only found a handful of vulnerabilities, the highest rank being MEDIUM.

Running Trivy in Client/Server Mode

You can always set up Trivy for client/server mode. What this does is use the server to house the vulnerability database (so the client doesn’t have to). You can then run Trivy from a remote client, using the server address to access the cached database. Here’s how it’s done.

On the server, launch Trivy in server mode with the command:


Next, make sure Trivy is installed on the client as well, pull down an image to scan with docker, and then test it against the vulnerability database on the server with the command:


Where SERVER is the IP address of the server and IMAGE is the image you want to scan. For example, the server might be at IP address 192.168.1.151 and the image is ubuntu:latest. The command for that would be:


The client will contact the server and scan the image against the cached vulnerability database on the server.

And that’s all there is to scan Docker images for vulnerabilities with the Trivy command. Every time you pull a new image you should immediately scan it for vulnerabilities and act according to the output. By making sure you’re using images without vulnerabilities (especially those marked either HIGH or CRITICAL), you can be sure your container deployments are built on a solid foundation.

Group Created with Sketch.
TNS owner Insight Partners is an investor in: Pragma, Docker, Aqua Security.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.