This article talks about Trivy, which is a a simple and comprehensive vulnerability scanner for containers and other artifacts, suitable for Continueos Integration and Testing.
Table of Contents
·
Introduction
·
Installation
·
Scanning Git Repository
·
Scanning Container Image
·
Scanning Filesystem
·
Scanning From Inside Containers
·
Embed Trivy in Dockerfile
Introduction
Trivy is an open-source tool by aqua
security to scan for vulnerabilities and misconfiguration errors.
This tool works at various levels: it can evaluate Infrastructure as Code,
inspect container images, deliver configuration file assistance, analyze Kubernetes
implementations, and review the code in a Git repository. With the ease of
usage, trivy can be simply be integrated in CI/CD pipeline (DevSecOps) by
installing and adding binary to the project. Trivy offers thorough visibility
across programming language and operating system packages and has a wide database
of vulnerabilities which allows quick scans of critical CVEs. With
various new advancements in the tool, it has helped pen-testers and
cybersecurity researchers to ensure continuous scans making the process of
DevSecOps faster and efficient.
Installation
The installation is quite simple. Follow the below given
commands to install Trivy from the official repository on your ubuntu machine.
sudo apt-get install wget
apt-transport-https gnupg lsb-release
wget -qO -
https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb
https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo
tee /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
Once the tool has been installed and updated, you are ready
to scan files.
Scanning Git Repository
As I have described above, we can use trivy for scanning
security loopholes amoung multiple platforms.
If you are using
Git Repository and you can scan git file directly without downloading the
entire package.
sudo trivy repo https://github.com/appsecco/dvna
Scanning Container
Image
Docker is an open-source project and for the IT organization
docker security is a biggest concern and they are looking for docker security
advisories and tools that can identify vulnerabilities inside any docker image.
You can scan the docker images to identify vulnerabilities
by following the below given steps.
Step1: Check the Image ID of the Container image that you
want to scan.
sudo docker images
Step2: Use the below given command to scan the container
image.
sudo trivy image 4621d4fe2959
You can also scan the images for a particular severity of
vulnerabilities and save the report in text format using the below given
command.
sudo trivy image --severity HIGH 4621d4fe2959 >
result.txt
tail result.txt
Scanning Filesystem
Trivy can be used to scan a filesystem (such as a host
machine, a virtual machine image, or an unpacked container image filesystem).
(Note: We are using vulnerable-node from
Filesystem for this practical.)
trivy conf services/
Scanning From Inside Containers
You can easily scan running container from inside. Follow
the below given steps to scan a docker file.
Step1: Run the docker file that you want to scan.
sudo docker run -it alpine
Step2: Add Trivy scanner to the file and run it.
apk add curl \
&& curl -sfL
https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh |
sh -s -- -b /usr/local/bin \
&& trivy filesystem --exit-code 1 --no-progress /
Scan your image as part of the build process by embedding
Trivy in the Dockerfile. This approach can be used to update Dockerfiles
currently using Aqua’s Microscanner. Follow the below given steps to scan
docker file while building it.
Step1: Add trivy to the docker file.
FROM alpine:3.7
RUN apk add curl \
&& curl
-sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh
| sh -s -- -b /usr/local/bin \
&&
trivy filesystem --exit-code 1 --no-progress /
Step2 : Build the image.
sudo docker build -t vulnerable image .
It will scan the docker file while the image is being built
and give the report as shown below.
Author: Mukund Mehrotra is a cybersecurity researcher , technical
writer and an enthusiastic pen-tester at Hacking Articles. Contact here.
0 comments:
Post a Comment