When and How to Use Trivy to Scan Containers for Vulnerabilities
Updated November 26, 2024.
Containers are integral to modern application development portability, resource efficiency, and ease of deployment. But there is a flip side to these benefits. Unlike traditional applications, containers bundle everything needed to run, making them a scattered setup for hidden security issues.
54% of container images in Docker Hub were found to contain sensitive information that could lead to unauthorized access, data breaches, or identity theft. What’s more, these analyzed containers were downloaded over 132 billion times.
With such a high risk of hidden secrets and vulnerabilities, tools like Trivy are becoming the go-to solution to scan containers and identify threats before they wreak potential havoc.
What is Trivy? How can I use it?
Trivy is an open-source container vulnerability scanner specifically designed for container security. It scans for vulnerabilities within the software packages, uncovers accidentally embedded secrets such as passwords, and analyzes license information associated with the included software.
Deploying Trivy is straightforward. You can use it as a command-line tool on your local machine or integrate it into your development workflow for continuous scanning. Depending on your environment, Trivy offers various deployment options, including Dockerfiles, Kubernetes workloads, and cloud provider integrations.
For example, you can deploy Trivy on a Kubernetes cluster via Helm using the following script:
helm install my-trivy aquasecurity/trivy
Why you need container vulnerability scanning
Today, containers are the go-to approach for building, deploying, and scaling applications. However, this growing popularity also brings security challenges to the forefront. Containerized applications often inherit vulnerabilities through software packages, interactions with the host system and neighboring containers, and misconfigurations in networking or storage settings.
These vulnerabilities can create openings for attackers to infiltrate your system, steal data, or disrupt operations. This is where scanners like Trivy come in. Incorporating Trivy into your data security policy ensures comprehensive scanning, significantly enhancing the protection of sensitive data against potential threats. Aside from improved data security, here are other key benefits of using container vulnerability scanners:
Early Risk Identification: Trivy scans container images in the development and build stages, enabling early vulnerability detection and resolution. This proactive approach prevents vulnerabilities from being deployed into production environments.
Continuous Security Monitoring: Integrate Trivy into your CI/CD pipeline to ensure ongoing security monitoring for your containerized applications. You can use a tool like Jit’s DevSecOps orchestration platform for a smoother and easier Trivy integration to your pipeline.
Automated Vulnerability Assessment: Trivy automates vulnerability scanning, saving you the time and resources required for manual checks.
Severity Prioritization: Trivy prioritizes vulnerabilities by severity, allowing you to focus on critical and high-risk issues first.
When to use Trivy: Scan Apps for These 7 Security Risks
Trivy is a great tool for any software development team in a regulated industry who builds and maintains containerized applications. Many compliance standards – including PCI-DSS, ISO 27001, HIPPA, and the Cyber Resilience Act – include requirements that mandate checking for application security vulnerabilities throughout the SDLC, which Trvi can address.
Beyond just those in regulated industries, Trivy can be considered by any software developer aiming to reduce the security risk of their applications running in the cloud. Not everyone needs compliance as a motivator for implementing application security best practices.
Trivy is a multi-faceted security scanner that delves into various aspects of your container images to identify potential risks. Let's explore seven key areas Trivy scans to ensure the overall security posture of your containerized applications:
1. Application Dependencies
Trivy analyzes the container image for installed application packages and libraries, checking them against vulnerability databases to identify potential security risks. It can also explore different types of lock files, such as Gemfile.lock, Pipfile.lock, and package-lock.json, to spot application dependencies.
Tips:
Start your container builds with minimal base images to reduce the number of unnecessary dependencies.
Use package managers with built-in security features, like locking down dependencies, to reduce the risk of vulnerabilities introduced by newer versions.
# Example Dockerfile snippet showing dependency pinning
FROM base_image:latest
# Install app dependencies
RUN apt-get update && \
apt-get install -y \
<package_name1>=<version1> \
<package_name2>=<version2> \
...
<package_nameN>=<versionN>
2. OS Packages Vulnerabilities
OS Package Vulnerability scanning focuses on identifying security issues in the software packages that come with your operating system in the container. These packages handle important tasks like networking and security features.
However, Trivy doesn't check custom-made packages or ones you made yourself. It only looks at official packages from trusted sources like Red Hat or Debian, comparing them against vulnerability databases to identify known security flaws. This helps ensure your container doesn't inherit vulnerabilities from outdated or insecure packages.
Tips:
- Keep your container clean by only including the packages you need.
- Start your container builds with official base images provided by OS vendors or trusted repositories like Docker Hub.
3. Misconfigurations
Trivy examines container images for security misconfiguration vulnerabilities that may pose security risks to your containers, such as:
Unnecessary open ports.
Excessive access privileges.
Insecure file permissions.
Additionally, Trivy provides pre-defined policies to identify configuration issues within the commonly used infrastructure as code (IaC) files, like Dockerfiles, Kubernetes manifests, and Terraform configurations.
For example, you can conduct an IaC misconfiguration scan with Trivy using the following command:
$ trivy config [YOUR_IaC_DIRECTORY]
4. Secret Scanning
Secret scanning involves checking container images, filesystems, and git repositories for accidentally embedded passwords, API keys, and tokens. Developers could unintentionally commit these secrets during development, posing a severe security risk.
Trivy performs thorough scans of plaintext files based on built-in rules or custom configurations to identify embedded secrets.
Here is a secret scanning example using Trivy.
Trivy identifies a critical issue in the above example: an AWS Access Key ID exposed in the file app/secret.sh.
Tips:
- Use secure vaults or environment variables to manage and access these secrets dynamically.
# Dockerfile
FROM base_image:latest
# Set environment variable for AWS Access Key ID
ENV AWS_ACCESS_KEY_ID=your_access_key_id
- Integrate automated tools like Trivy into your development pipeline to continuously scan for and identify embedded secrets.
5. Unpacked Binary Files
Trivy can scan unpacked binary files (like executables) within your container image. This capability helps identify vulnerabilities that traditional scanners might miss, especially for custom applications or those built from source. By leveraging SBOMs and vulnerability databases, Trivy provides enhanced security for your containerized applications.
Tips:
Unpacked binary scanning is an optional feature in Trivy and might require additional configuration or SBOM integration.
Although unpacked binary scanning might identify more potential vulnerabilities than package scanning, you must prioritize critical and high-severity findings first.
Here's an example demonstrating how Trivy can use an SBOM attestation as input to scan for vulnerabilities:
$ cosign verify-attestation --key /path/to/cosign.pub --type cyclonedx <IMAGE> > sbom.cdx.intoto.jsonl
$ trivy sbom ./sbom.cdx.intoto.jsonl
In this example, Trivy scans the container image using the SBOM attestation file sbom.cdx.intoto.jsonl to identify vulnerabilities in unpacked binary files.
6. Cryptographic Weaknesses
Trivy also examines cryptographic weaknesses within your container image, such as insecure encryption algorithms or ciphers. Weak cryptographic settings can render your data vulnerable to decryption or attacker tampering.
By identifying such issues, Trivy helps ensure your container uses strong cryptography to keep your data confidential and secure.
Tips:
Use industry-standard cryptographic algorithms and protocols to secure your containerized applications.
Avoid deprecated or weak encryption schemes and opt for algorithms that are widely recognized and vetted by the security community.
For example, the below Docker configuration shows how to configure a containerized application with strong cryptographic ciphers for TLS encryption.
# Example Dockerfile snippet demonstrating the use of strong encryption algorithms
FROM base_image:latest
# Configure TLS with strong cryptographic ciphers
COPY server.crt /etc/ssl/certs/server.crt
COPY server.key /etc/ssl/private/server.key
# Set up Nginx with recommended TLS configurations
RUN sed -i 's/#.*ssl_ciphers/ssl_ciphers/g' /etc/nginx/nginx.conf
RUN sed -i 's/#.*ssl_protocols/ssl_protocols/g' /etc/nginx/nginx.conf
7. License Scanning
Trivy helps you manage the legal aspects of your container images by conducting license scanning. It categorizes them using the Google License Classification (Forbidden, Restricted, etc.) to assess potential compliance risks. Although Trivy's license scanning results are not comprehensive, they provide a valuable starting point for managing open-source license obligations.
Here is an example code that executes standard license scanning using the --scanners license flag.
$ trivy image --scanners license --severity UNKNOWN,HIGH,CRITICAL alpine:3.15
2022-07-13T17:28:39.526+0300 INFO License scanning is enabled
Securing Your Apps with Trivy and Jit: A Winning Combination
Containers make development faster and smoother. However, they also come with hidden security vulnerabilities, ranging from outdated software to misconfigurations and even secret leaks. Container scanning tools like Trivy are essential to help developers identify and remediate security issues before they escalate, ensuring the robustness and resilience of their applications.
That said, Trivy is not a one-stop-shop for all application security needs. It won’t find vulnerabilities surfaced by tools like Static Application Security Testing (SAST), IaC scanning, or Dynamic Application Security Testing (DAST). You’ll probably need additional toolsets around Trivy for full code-to-cloud security.
To implement full coverage, look to tools like Jit that unify over ten code and cloud scanners in a single platform, which can be rolled out across repos in minutes. Jit’s DevSecOps orchestration platform removes the complexity of integrating Trivy and many other security tools and controls into the CI/CD.
On the container scanning front, Jit current uses Trivy for Dockerfile scanning and scanning open source NuGet libraries for vulnerabilities in C#. We’ll soon use Trivy to scan containers in the registry and at runtime.
You can manage these tools in one place and automate them to run for every PR, which provides immediate feedback on the security of every code change for developers. Explore more here.