Reinforce the power of your AWS scanning with Trivy
LEVEL: BEGGINNER
As we already know, AWS counts with a useful tool to scan our images for vulnerabilities when we push them to our registry. On this TeraTip we are going to add an extra security layer: we are going to make use of an open-source tool called Trivy.
Trivy is a comprehensive and versatile security scanner. Trivy has scanners that look for security issues and targets where it can find those issues.
Targets (what Trivy can scan):
Container Image
Filesystem
Git Repository (remote)
Virtual Machine Image
Kubernetes
AWS
Scanners (what Trivy can find there):
OS packages and software dependencies in use (SBOM)
Known vulnerabilities (CVEs)
IaC issues and misconfigurations
Sensitive information and secrets
Software licenses
Let us begin with a demo on docker image scanning.
1) Install Trivy. In my case, locally and since Im using a ubuntu distribution I will proceed with the following:
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sourc sudo apt-get update
sudo apt-get install tri
2) Execute a Trivy -v to verify the installation.
3) Now, we can run
trivy image ${our_image_to_scan}
For example: trivy image adoptopenjdk/openjdk8:alpine-slim
The output
4) Let's try another one, run
trivy image php:8.1.8-alpine
The output
Ok, this looks a bit more dangerous.
5) Fair enough. Now would be helpful to automate these scans to use on our DevSecOps pipelines. Create a file.
touch trivy-docker-image-scan.sh
With your IDE of choice open the file and paste the following content:
#!/bin/bash
dockerImageName=$(awk 'NR==1 {print $2}' Dockerfile)
echo $dockerImageName
These initial lines are going to grab the docker image from the Dockerfile and echo it to the terminal.
6) We continue editing our script. Trivy command, we are checking for different types of severity on our vulnerabilities. If the exit code of our Trivy image scan is other than CRITICAL we’ll return an exit code of 0 meaning there were no critical vulnerabilities found on the image.
If the exit code is 1, then we are going to know without a doubt that we have critical vulnerabilities in our image.
trivy image --exit-code 0 --severity MEDIUM,HIGH $dockerImageName
trivy image --exit-code 1 --severity CRITICAL $dockerImageName
7) The previous step is very delightful, but How do we leverage our DevSecOps pipelines with this information?
Here is where we can take action on a building pipeline (or not) depending on our exit codes. Let's add the bash conditional.
# Trivy scan result processing
exit_code=$?
echo "Exit Code : $exit_code"
# Check scan results
if [[ "${exit_code}" == 1 ]]; then
echo "Image scanning failed. Vulnerabilities found"
exit 1;
else
echo "Image scanning passed. No CRITICAL vulnerabilities found"
fi;
Alright! now we are able to scan our docker images and take action based on the exit code that relies on the vulnerabilities found.
Let's take a look at the final script and how we can implement it on a Jenkins pipeline.
#!/bin/bash
dockerImageName=$(awk 'NR==1 {print $2}' Dockerfile)
trivy image --exit-code 0 --severity MEDIUM,HIGH $dockerImageName
trivy image --exit-code 1 --severity CRITICAL $dockerImageName
# Trivy scan result processing
exit_code=$?
echo "Exit Code : $exit_code"
# Check scan results
if [[ "${exit_code}" == 1 ]]; then
echo "Image scanning failed. Vulnerabilities found"
exit 1;
else
echo "Image scanning passed. No CRITICAL vulnerabilities found"
fi;
Jenkinsfile
#!/bin/bash
pipeline {
agent any
stages {
stage('Trivy Vulnerability Scan - Docker') {
steps {
sh "bash trivy-docker-image-scan.sh"
}
}
}
}
Note:
There are some necessary steps to configure Jenkins, install the required plugins, the dependencies, and so on, but since this is not a Jenkins TeraTip and for briefness purposes, we keep it as simple as possible.
References:
https://aquasecurity.github.io/trivy/v0.18.3/examples/others/
https://aquasecurity.github.io/trivy/v0.18.3/installation/#nixnixos
https://www.jenkins.io/doc/book/pipeline/
Tomás Torales
Cloud Engineer
Teracloud
If you want to know more about Cloud Security, we suggest going check What did AWS Re: Invent bring us in terms of Security?
If you are interested in learning more about our #TeraTips or our blog's content, we invite you to see all the content entries that we have created for you and your needs. And subscribe to be aware of any news! 👇
