Aqua Security has announced that Trivy, their open source vulnerability scanner, is now available as an integrated option within a number of platforms. Trivy is able to scan for vulnerabilities within operating systems and a number of common application dependencies.
With this announcement, Trivy is now included within Harbor as the default scanner. Harbor is an open source container image registry and is an Incubating project with the CNCF. It is also possible to integrate Trivy with Docker to facilitate scanning Docker images.
Trivy is able to detect vulnerabilities in a number of Linux operating systems including Alpine, RHEL, CentOS, Debian, Ubuntu, SUSE, and Amazon Linux. According to Aqua, Trivy has a high accuracy for detection of vulnerabilities especially with Alpine Linux and RHEL/CentOS. Teppei Fukuda, OSS engineer at Aqua Security, shared an analysis of vulnerabilities detected on a version of Alpine Linux by a number of vulnerability scanners in which Trivy was most successful.
Trivy will also automatically detect the following files within the container and use them to scan for vulnerabilities within any specified application dependencies:
gemfile.lock
pipfile.lock
composer.lock
package-lock.json
yarn.lock
cargo.lock
Running Trivy can be done via the command line or it can be integrated into a CI job. From the command line, this can be accomplished by specifying the image name as follows: trivy <image-name>
. Trivy will scan the image and output any detected vulnerabilities:
It is possible to integrate Trivy into CI tools such as Travis CI, CircleCI, and GitLab CI. If a vulnerability is found then Trivy can be set to fail the job run. To avoid having the run be failed, the flag --exit-code 0
can be specified. For example, to integrate with Travis CI, the travis.yml
file should be updated as follows:
$ cat .travis.yml
services:
- docker
env:
global:
- COMMIT=${TRAVIS_COMMIT::8}
before_install:
- docker build -t trivy-ci-test:${COMMIT} .
- export VERSION=$(curl --silent "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
- wget https://github.com/aquasecurity/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz
- tar zxvf trivy_${VERSION}_Linux-64bit.tar.gz
script:
- ./trivy --exit-code 0 --severity HIGH --no-progress trivy-ci-test:${COMMIT}
- ./trivy --exit-code 1 --severity CRITICAL --no-progress trivy-ci-test:${COMMIT}
cache:
directories:
- $HOME/.cache/trivy
Jerry Gamblin, principal security engineer at Kenna Security, found that within the top Docker files "over 20 percent of the files contained at least one vulnerability that would be considered high risk" and that the median number of CVE's was 37. To help with sharing this information, Gamblin created the tool VulnerableContainers.org which pulls the top 1000 most popular Docker Hub containers and scans them for vulnerabilities using Trivy.
Trivy is part of Aqua's portfolio of open source cloud native projects that includes: kube-bench, kube-hunter, tracee, CloudSploit, and kubectl-who-can. Trivy is licensed with the Apache 2 license and is available for download via GitHub.
Editors note: This article was updated on 29th April to correct the list of integrations, based on a request from a Docker representative