top of page

ReInforce the power of your AWS scanning with Trivy


LEVEL: BEGGINNER

 

As we already know, AWS counts with a useful tool to scan our images for vulnerabilities when we push them to our registry. On this TeraTip we are going to add an extra security layer: we are going to make use of an open-source tool called Trivy.

Trivy is a comprehensive and versatile security scanner. Trivy has scanners that look for security issues and targets where it can find those issues.

Targets (what Trivy can scan):

  • Container Image

  • Filesystem

  • Git Repository (remote)

  • Virtual Machine Image

  • Kubernetes

  • AWS

Scanners (what Trivy can find there):

  • OS packages and software dependencies in use (SBOM)

  • Known vulnerabilities (CVEs)

  • IaC issues and misconfigurations

  • Sensitive information and secrets

  • Software licenses


Let us begin with a demo on docker image scanning.


1) Install Trivy. In my case, locally and since Im using a ubuntu distribution I will proceed with the following:


sudo apt-get install wget apt-transport-https gnupg lsb-release

wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sourc sudo apt-get update

sudo apt-get install tri



2) Execute a Trivy -v to verify the installation.


3) Now, we can run

trivy image ${our_image_to_scan}


For example: trivy image adoptopenjdk/openjdk8:alpine-slim

The output


4) Let's try another one, run

trivy image php:8.1.8-alpine

The output


Ok, this looks a bit more dangerous.


5) Fair enough. Now would be helpful to automate these scans to use on our DevSecOps pipelines. Create a file.


touch trivy-docker-image-scan.sh


With your IDE of choice open the file and paste the following content:


#!/bin/bash

dockerImageName=$(awk 'NR==1 {print $2}' Dockerfile)

echo $dockerImageName


These initial lines are going to grab the docker image from the Dockerfile and echo it to the terminal.

6) We continue editing our script. Trivy command, we are checking for different types of severity on our vulnerabilities. If the exit code of our Trivy image scan is other than CRITICAL we’ll return an exit code of 0 meaning there were no critical vulnerabilities found on the image.

If the exit code is 1, then we are going to know without a doubt that we have critical vulnerabilities in our image.

trivy image --exit-code 0 --severity MEDIUM,HIGH $dockerImageName

trivy image --exit-code 1 --severity CRITICAL $dockerImageName



7) The previous step is very delightful, but How do we leverage our DevSecOps pipelines with this information?

Here is where we can take action on a building pipeline (or not) depending on our exit codes. Let's add the bash conditional.


# Trivy scan result processing

exit_code=$?

echo "Exit Code : $exit_code"

# Check scan results

if [[ "${exit_code}" == 1 ]]; then

echo "Image scanning failed. Vulnerabilities found"

exit 1;

else

echo "Image scanning passed. No CRITICAL vulnerabilities found"

fi;

Alright! now we are able to scan our docker images and take action based on the exit code that relies on the vulnerabilities found.


Let's take a look at the final script and how we can implement it on a Jenkins pipeline.

#!/bin/bash

dockerImageName=$(awk 'NR==1 {print $2}' Dockerfile)

trivy image --exit-code 0 --severity MEDIUM,HIGH $dockerImageName

trivy image --exit-code 1 --severity CRITICAL $dockerImageName

# Trivy scan result processing

exit_code=$?

echo "Exit Code : $exit_code"

# Check scan results

if [[ "${exit_code}" == 1 ]]; then


echo "Image scanning failed. Vulnerabilities found"

exit 1;

else

echo "Image scanning passed. No CRITICAL vulnerabilities found"

fi;


Jenkinsfile


#!/bin/bash

pipeline {

agent any

stages {

stage('Trivy Vulnerability Scan - Docker') {

steps {

sh "bash trivy-docker-image-scan.sh"

}

}

}

}



Note:

There are some necessary steps to configure Jenkins, install the required plugins, the dependencies, and so on, but since this is not a Jenkins TeraTip and for briefness purposes, we keep it as simple as possible.

References:

https://aquasecurity.github.io/trivy/v0.18.3/examples/others/

https://aquasecurity.github.io/trivy/v0.18.3/installation/#nixnixos

https://www.jenkins.io/doc/book/pipeline/






Tomás Torales

Cloud Engineer

Teracloud





If you want to know more about Cloud Security, we suggest going check What did AWS Re: Invent bring us in terms of Security?

 

If you are interested in learning more about our #TeraTips or our blog's content, we invite you to see all the content entries that we have created for you and your needs. And subscribe to be aware of any news! 👇