Using Trivy to discover vulnerabilities

Bharat Mallavarapu
5 min readJun 12, 2021

--

In this blog, let’s talk about the tool I worked on during my internship at Red Hat. As part of the DevSecOps project, there were different processes that I found which help in achieving the DevSecOps pipeline. One Such is Image Scanning, which meant scanning a container image for vulnerabilities. After a thorough research and consideration, I choose Trivy as my tool for Image Scanning.

What is Trivy?

Trivy is a comprehensive and easy-to-use open source vulnerability scanner for container images developed by aquasecurity. Unlike other open source scanners, Trivy covers both OS packages and language-specific dependencies and is extremely easy to integrate into organizations’ software development pipelines.

What does Trivy do?

As mentioned above, trivy is a vulnerability scanner that can scan image vulnerabilities in OS packages and application dependencies. Trivy takes container image scanning to higher levels of usability and performance. With frequent feature and vulnerability database updates and its comprehensive vulnerability scanning, trivy stands out to be the better choice to consider when compared with other tools available.

Trivy scan supports three different artifacts,

  • Container Images
  • Filesystem
  • Git Repositories

Installing Trivy:

Trivy is easy to install. Just install the binary and you’re ready to scan. Follow this link to check out all the supported installations.

Standalone mode of Trivy:
Trivy can be run in different modes and one of those is standalone, where trivy is not integrated into any CI and can be normally used to scan different artifacts.

Scanning an Image:
It is very use to scan an image using trivy. Syntax given below,

trivy image <image-name>

Example:

Trivy Scanning an Image

Scanning a Filesystem:
Trivy can scan a filesystem (such as a host machine, a virtual machine image, or an unpacked container image filesystem). During scanning it will look for vulnerabilities based on lock files such as package-lock.json and yarn.lock. Syntax given below

trivy fs <your-scanning-dir-path>

Example:

Scanning a Git repository:
Trivy can scan your remote git repository which are public. Syntax given below

trivy repo <repository-url>

Example:

Integrating Trivy in Tekton

As Trivy can be integrated into our daily routine, scripts and CI, I have integrated Trivy into Tekton Pipelines. The task which I have defined using trivy and tekton pipelines can be used to scan an image in a registry, a local image, a git repository and a file system.

The defined code takes the registry URL as value and then scans the image present in the registry using trivy. With exit-code option present, if there are any vulnerabilities found trivy breaks the build. The code can be found in my GitHub repository.

Trivy using Tekton

Now that we have seen what Trivy can do, let’s discuss about why Trivy and why not another tool.

Why Trivy?

Trivy can detect vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.).

Image reference: Trivy GitHub repository

The above image clearly shows the modes and artifacts trivy supports. Container images contain OS, runtime, and application (everything but the Linux kernel basically). If a container is breached, there is not much in the way preventing further containers from being breached. While there are many open-source image scanning tools they do not provide the same level of coverage as Trivy. Many scanners check only installed operating system packages.

When choosing a scanner for your CI pipeline, make sure it provides the coverage you need and supports the base image’s package installer database and the programming languages your applications use. You will also need to determine acceptable levels of risk for allowing a build to pass such as any vulnerability below a certain severity — or alternatively, failing builds with fixable vulnerabilities above a certain severity. Make sure your scanner offers a compatible API or tool that you can plug into your CI pipeline and provides the data you need to evaluate your criteria for failing a build.

With many requirements as mentioned above it is hard find a tool that supports all of the mentioned and this lead to the development of Trivy.
Trivy can integrate into your pipeline, scan not only OS packages but also programming language dependencies and can break the build according the severity we select. The below image compares Trivy with other scanners available.

Client/Server mode in Trivy:
Trivy has client/server mode. Trivy server has vulnerability database and Trivy client doesn’t have to download vulnerability database. It is useful if you want to scan images at multiple locations and do not want to download the database at every location.

Follow this link for Trivy Documentation and for Trivy GitHub Repository

Conclusion:
Trivy is an easy to use tool which can complete a scan in seconds unlike other scanners and with all the other features like supporting multiple artifacts and integrating into CI, Trivy stands out to be the better choice. If you want to know more about it, give it a try and do not forget to read the documentation.

Thanks for reading! See you in next article.

--

--

No responses yet