Check for Container Image Vulnerabilities with Trivy
Security should be one of the most important aspects of container deployments, especially for enterprise production environments that depend on highly scaled applications and services that will not only see massive demand but that will also interact with other services, servers, APIs, etc.
If you skimp on security, you could leave your company open to hacking. All it takes is one hacker gaining access to a single container and they could wind up with the keys to your kingdom.
You don’t want that.
The thing is security has to start from the ground up, otherwise, everything is susceptible. Think of it this way: You cannot build a house on a foundation with cracks, holes, and other vulnerabilities and expect it to be secure. Eventually, that house could crumble. Containers are the same way. If you build them on a foundation with vulnerabilities, there’s no way they’ll be secure.
In other words, the images you use to deploy your containerized application must be vulnerability free.
How do you know if an image contains vulnerabilities? You scan it. How do you scan a container image for vulnerabilities? With a tool like Trivy, first developed by Aqua Security.
Trivy is a command line tool that scans container images for vulnerabilities. Trivy can scan images, file systems, and even Git Repositories, outputting any and all vulnerabilities contained within. A tool like this should be considered an absolute must for any container developer or business that depends on containerized applications and services.
I’m going to show you how Trivy is installed and used on Ubuntu Server 22.04. Do know, however, that Trivy can be installed on the following platforms:
- Ubuntu
- RHEL
- Debian
- Arch Linux
- macOS (via Homebrew)
- Via Docker or Helm
Let’s get to it.
Requirements
For this tutorial, you’ll need a running instance of Docker Server 22.04 and a user with sudo privileges. That’s it. Time to get to work.
How to Install Docker
If you don’t already have Docker installed, let’s do it now.
First, install the necessary dependencies with the command:
|
1 |
sudo apt-get install apt-transport-https ca-certificates curl gnupg lsb-release -y |
Next, add the official Docker GPG key with the command:
|
1 |
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg |
Add the Docker repository with the following command:
|
1 2 |
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] \n https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null |
Update apt with:
|
1 |
sudo apt-get update |
Install Docker with the command:
|
1 |
sudo apt-get install docker-ce docker-ce-cli containerd.io -y |
Next, you must add your user to the docker group with the command:
|
1 |
sudo usermod -aG docker $USER |
Log out and log back in for the changes to take effect.
How to install Trivy
We can now install Trivy. First download and add the Aqua Security GPG key with:
|
1 |
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - |
Add the Aqua Security repository with the following command:
|
1 |
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list |
Update apt with:
|
1 |
sudo apt-get update |
Install Trivy with the command:
|
1 |
sudo apt-get install trivy -y |
How to Use Trivy
Using Trivy is quite simple. First, we’re going to pull down an image to test. For our first test, we’ll pull down the image for python:3.4-alpine. Do this with the command:
|
1 |
docker pull python:3.4-alpine |
Once the image has finished being pulled, run Trivy against it with the command:
|
1 |
trivy image python:3.4-alpine |
Trivy will immediately go to work and begin outputting any vulnerabilities it finds. As you can see (Figure 1), Trivy found a number of vulnerabilities, including some marked MEDIUM, HIGH, and CRITICAL.
-
Figure 1: The output of a Trivy run against a Python image.
The output will include a vulnerability CVE number and a bit of information about it, as well as a link for even more information and (in some cases) steps to mitigate the issue.
Let’s run another test, this time on the latest Ubuntu image. Pull the image with:
|
1 |
docker pull ubuntu:latest |
Run the scan with:
|
1 |
trivy image ubuntu:latest |
This time, Trivy only found a handful of vulnerabilities, the highest rank being MEDIUM.
Running Trivy in Client/Server Mode
You can always set up Trivy for client/server mode. What this does is use the server to house the vulnerability database (so the client doesn’t have to). You can then run Trivy from a remote client, using the server address to access the cached database. Here’s how it’s done.
On the server, launch Trivy in server mode with the command:
|
1 |
trivy server --listen 0.0.0.0:8080 |
Next, make sure Trivy is installed on the client as well, pull down an image to scan with docker, and then test it against the vulnerability database on the server with the command:
|
1 |
trivy client --remote http://SERVER:8080 IMAGE |
Where SERVER is the IP address of the server and IMAGE is the image you want to scan. For example, the server might be at IP address 192.168.1.151 and the image is ubuntu:latest. The command for that would be:
|
1 |
trivy client --remote http://192.168.1.151:8080 ubuntu:latest |
The client will contact the server and scan the image against the cached vulnerability database on the server.
And that’s all there is to scan Docker images for vulnerabilities with the Trivy command. Every time you pull a new image you should immediately scan it for vulnerabilities and act according to the output. By making sure you’re using images without vulnerabilities (especially those marked either HIGH or CRITICAL), you can be sure your container deployments are built on a solid foundation.