{"id":61078,"date":"2024-04-01T15:26:05","date_gmt":"2024-04-01T09:56:05","guid":{"rendered":"https:\/\/www.tothenew.com\/blog\/?p=61078"},"modified":"2024-04-01T15:26:05","modified_gmt":"2024-04-01T09:56:05","slug":"trivy-a-comprehensive-security-scanner","status":"publish","type":"post","link":"https:\/\/www.tothenew.com\/blog\/trivy-a-comprehensive-security-scanner\/","title":{"rendered":"Trivy: A Comprehensive Security Scanner"},"content":{"rendered":"<p>&nbsp;<\/p>\n<figure class=\"lk ll lm ln lo lp lh li paragraph-image\">\n<div class=\"lh li lj\"><img decoding=\"async\" loading=\"lazy\" class=\"bg kp lq c alignnone\" role=\"presentation\" src=\"https:\/\/miro.medium.com\/v2\/resize:fit:730\/0*Vb-u9UQM5E6wWhpI.png\" alt=\"\" width=\"365\" height=\"383\" \/><\/div>\n<\/figure>\n<h2 id=\"38dc\" class=\"lr ls fr be lt lu lv lw lx ly lz ma mb mc md me mf mg mh mi mj mk ml mm mn mo bj\">Introduction<\/h2>\n<p id=\"5894\" class=\"pw-post-body-paragraph mp mq fr mr b ms nk mu mv mw nl my mz mc nm nb nc mg nn ne nf mk no nh ni nj fk bj\" data-selectable-paragraph=\"\"><code class=\"cw np nq nr ns b\"><a class=\"af nt\" href=\"https:\/\/www.cisecurity.org\/cis-benchmarks\" target=\"_blank\" rel=\"noopener ugc nofollow\"><strong class=\"mr fs\"><em class=\"nu\">CIS<\/em><\/strong><\/a><\/code> is a renowned nonprofit organization that offers recommendations for security best practices; offerings include a bunch of guidelines for configuring &amp; securely K8s clusters.<\/p>\n<p id=\"463d\" class=\"pw-post-body-paragraph mp mq fr mr b ms nk mu mv mw nl my mz mc nm nb nc mg nn ne nf mk no nh ni nj fk bj\" data-selectable-paragraph=\"\"><code class=\"cw np nq nr ns b\"><a class=\"af nt\" href=\"https:\/\/github.com\/aquasecurity\/trivy\" target=\"_blank\" rel=\"noopener ugc nofollow\"><strong class=\"mr fs\"><em class=\"nu\">Trivy<\/em><\/strong><\/a><\/code>\u00a0is a comprehensive container security auditing tool that brings the power of CIS (Center for Internet Security) compliance auditing to K8s clusters.<\/p>\n<h2 id=\"7f07\" class=\"pw-post-body-paragraph mp mq fr mr b ms nk mu mv mw nl my mz mc nm nb nc mg nn ne nf mk no nh ni nj fk bj\">Reason to Adopt Trivy?<\/h2>\n<p id=\"3e0b\" class=\"pw-post-body-paragraph mp mq fr mr b ms nk mu mv mw nl my mz mc nm nb nc mg nn ne nf mk no nh ni nj fk bj\" data-selectable-paragraph=\"\">Trivy is a unified solution that isn&#8217;t limited to auditing K8s clusters alone; but can be used to assess instance config, docker image, and vulnerability. This comprehensive benefit makes Trivy a valuable addition to multiple tasks within our CI pipeline.<\/p>\n<h2 id=\"7e5a\" class=\"lr ls fr be lt lu lv lw lx ly lz ma mb mc md me mf mg mh mi mj mk ml mm mn mo bj\">Table of Contents<\/h2>\n<ul>\n<li>Introduction to Trivy<\/li>\n<li>How to Install Trivy<\/li>\n<li>Vulnerability Scanning<\/li>\n<li>Integration to CI-CD via GitHub Actions<\/li>\n<li>Conclusion<\/li>\n<\/ul>\n<h2 id=\"4ed4\" class=\"od ls fr be lt oe of og lx oh oi oj mb ok ol om on oo op oq or os ot ou ov ow bj\">Trivy<\/h2>\n<p id=\"8c64\" class=\"pw-post-body-paragraph mp mq fr mr b ms mt mu mv mw mx my mz mc na nb nc mg nd ne nf mk ng nh ni nj fk bj\" data-selectable-paragraph=\"\">Trivy is an open-source vulnerability and security scanner tool. For Detailed Documentation, you can refer to the Trivy\u00a0<a class=\"af nt\" href=\"https:\/\/aquasecurity.github.io\/trivy\/v0.45\/docs\" target=\"_blank\" rel=\"noopener ugc nofollow\">Documentation site<\/a><\/p>\n<p id=\"01ea\" class=\"pw-post-body-paragraph mp mq fr mr b ms nk mu mv mw nl my mz mc nm nb nc mg nn ne nf mk no nh ni nj fk bj\" data-selectable-paragraph=\"\">Trivy\u2019s Scanning Capabilities Includes:<\/p>\n<p id=\"c144\" class=\"pw-post-body-paragraph mp mq fr mr b ms nk mu mv mw nl my mz mc nm nb nc mg nn ne nf mk no nh ni nj fk bj\" data-selectable-paragraph=\"\"><strong>1<\/strong>. Scanning Container Images<br \/>\n<strong>2.<\/strong> Filesystems<br \/>\n<strong>3.<\/strong> Remote Git Repositories<br \/>\n<strong>4<\/strong>. Virtual Machine Images<br \/>\n<strong>5<\/strong>. Kubernetes<br \/>\n<strong>6<\/strong>. AWS Environments<\/p>\n<p id=\"4eea\" class=\"pw-post-body-paragraph mp mq fr mr b ms nk mu mv mw nl my mz mc nm nb nc mg nn ne nf mk no nh ni nj fk bj\" data-selectable-paragraph=\"\">At low-level these scanners perform scanning operations and unearth<\/p>\n<p id=\"a9c0\" class=\"pw-post-body-paragraph mp mq fr mr b ms nk mu mv mw nl my mz mc nm nb nc mg nn ne nf mk no nh ni nj fk bj\" data-selectable-paragraph=\"\">1. (Software Bill of Materials \u2014 SBOM)- OS packages and software dependencies<br \/>\n2. (CVEs \u2014 Common Vulnerabilities and Exposures)- Known vulnerabilities<br \/>\n3. Infrastructure as Code (IaC) issues and misconfigurations<br \/>\n4. Determining sensitive info and hidden secrets<\/p>\n<p id=\"cc19\" class=\"pw-post-body-paragraph mp mq fr mr b ms nk mu mv mw nl my mz mc nm nb nc mg nn ne nf mk no nh ni nj fk bj\" data-selectable-paragraph=\"\">It also supports different programming languages, OS, and platforms. For a more detailed list, refer\u00a0<a class=\"af nt\" href=\"https:\/\/aquasecurity.github.io\/trivy\/v0.45\/docs\/coverage\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">Scanning Coverage<\/a>\u00a0page.<\/p>\n<h2 id=\"007f\" class=\"od ls fr be lt oe of og lx oh oi oj mb ok ol om on oo op oq or os ot ou ov ow bj\">How to Install Trivy?<\/h2>\n<p id=\"91f0\" class=\"pw-post-body-paragraph mp mq fr mr b ms mt mu mv mw mx my mz mc na nb nc mg nd ne nf mk ng nh ni nj fk bj\" data-selectable-paragraph=\"\">Trivy Installation is straightforward, depending on your OS. For detailed info, check <a class=\"af nt\" href=\"https:\/\/aquasecurity.github.io\/trivy\/v0.22.0\/getting-started\/installation\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">this<\/a>. For Mac Users, Install Trivy via the below command:<\/p>\n<pre class=\"ox oy oz pa pb pc ns pd bo pe ba bj\"><span class=\"pf ls fr ns b bf pg ph l pi pj\" data-selectable-paragraph=\"\">brew install aquasecurity\/trivy\/trivy\r\n<\/span><\/pre>\n<h2 id=\"633b\" class=\"od ls fr be lt oe of og lx oh oi oj mb ok ol om on oo op oq or os ot ou ov ow bj\">Vulnerability Scanning<\/h2>\n<p id=\"6071\" class=\"pw-post-body-paragraph mp mq fr mr b ms mt mu mv mw mx my mz mc na nb nc mg nd ne nf mk ng nh ni nj fk bj\" data-selectable-paragraph=\"\">It is the process of scanning all threats and incidents that make the environment and system vulnerable. As previously discussed, the scan can be performed on container images, file systems, and remote git repositories.<\/p>\n<p id=\"1298\" class=\"pw-post-body-paragraph mp mq fr mr b ms nk mu mv mw nl my mz mc nm nb nc mg nn ne nf mk no nh ni nj fk bj\" data-selectable-paragraph=\"\">Let\u2019s see what happens behind the scenes by running a few basic commands for each scenario.<\/p>\n<ul>\n<li id=\"d86b\" class=\"pw-post-body-paragraph mp mq fr mr b ms nk mu mv mw nl my mz mc nm nb nc mg nn ne nf mk no nh ni nj fk bj\">\n<h4><strong class=\"mr fs\">Container Images Scan:<\/strong><\/h4>\n<\/li>\n<\/ul>\n<pre><em><span id=\"acce\" class=\"pf ls fr ns b bf pg ph l pi pj\" data-selectable-paragraph=\"\">   $ trivy image <span class=\"hljs-selector-attr\">[image-name]\r\n<\/span><\/span><\/em><\/pre>\n<figure class=\"ox oy oz pa pb lp lh li paragraph-image\">\n<div class=\"pl pm ee pn bg po\" role=\"button\">\n<div class=\"lh li pk\"><img decoding=\"async\" loading=\"lazy\" class=\"bg kp lq c alignnone\" role=\"presentation\" src=\"https:\/\/miro.medium.com\/v2\/resize:fit:1400\/1*XGC_IvIq2on7_uUTvWhQrA.png\" alt=\"\" width=\"700\" height=\"529\" \/><\/div>\n<\/div>\n<\/figure>\n<p>&nbsp;<\/p>\n<ul>\n<li id=\"eaf5\" class=\"pw-post-body-paragraph mp mq fr mr b ms nk mu mv mw nl my mz mc nm nb nc mg nn ne nf mk no nh ni nj fk bj\">\n<h4><strong class=\"mr fs\">AWS Services Vulnerability Scanning:<\/strong><\/h4>\n<\/li>\n<\/ul>\n<p>Trivy scans vulnerability at the AWS account level; also individual services can be scanned using the below commands.<\/p>\n<pre class=\"ox oy oz pa pb pc ns pd bo pe ba bj\"><span id=\"f3b0\" class=\"pf ls fr ns b bf pg ph l pi pj\" data-selectable-paragraph=\"\"><em> <span class=\"hljs-comment\"># basic scanning<\/span><\/em>\r\n<em>  <span class=\"hljs-variable\">$ <\/span>trivy aws --region us-east-<span class=\"hljs-number\">1<\/span><\/em>\r\n\r\n<em>  <span class=\"hljs-comment\"># limit scan to a single service:<\/span><\/em>\r\n<em>  <span class=\"hljs-variable\">$ <\/span>trivy aws --region us-east-<span class=\"hljs-number\">1<\/span> --service s3<\/em>\r\n\r\n<em>  <span class=\"hljs-comment\"># limit scan to multiple services:<\/span><\/em>\r\n<em>  <span class=\"hljs-variable\">$ <\/span>trivy aws --region us-east-<span class=\"hljs-number\">1<\/span> --service s3 --service ec2<\/em>\r\n\r\n<em>  <span class=\"hljs-comment\"># force refresh of cache for fresh results<\/span><\/em>\r\n<em>  <span class=\"hljs-variable\">$ <\/span>trivy aws --region us-east-<span class=\"hljs-number\">1<\/span> --update-cache<\/em>\r\n<\/span><\/pre>\n<figure class=\"ox oy oz pa pb lp lh li paragraph-image\">\n<div class=\"pl pm ee pn bg po\" role=\"button\">\n<div class=\"lh li pp\"><img decoding=\"async\" loading=\"lazy\" class=\"bg kp lq c alignnone\" role=\"presentation\" src=\"https:\/\/miro.medium.com\/v2\/resize:fit:1400\/1*1somCIebUwJJkeamWUGBVQ.png\" alt=\"\" width=\"700\" height=\"995\" \/><\/div>\n<div><\/div>\n<\/div>\n<\/figure>\n<ul>\n<li id=\"6a90\" class=\"pw-post-body-paragraph mp mq fr mr b ms nk mu mv mw nl my mz mc nm nb nc mg nn ne nf mk no nh ni nj fk bj\">\n<h4><strong class=\"mr fs\">File System Scan:<\/strong><\/h4>\n<\/li>\n<\/ul>\n<p id=\"4294\" class=\"pw-post-body-paragraph mp mq fr mr b ms nk mu mv mw nl my mz mc nm nb nc mg nn ne nf mk no nh ni nj fk bj\" data-selectable-paragraph=\"\">Trivy scans and detects the vulnerabilities at the file-system level.<\/p>\n<pre class=\"ox oy oz pa pb pc ns pd bo pe ba bj\"><em><span id=\"3791\" class=\"pf ls fr ns b bf pg ph l pi pj\" data-selectable-paragraph=\"\"><span class=\"hljs-meta.prompt\">  # <\/span><span class=\"hljs-undefined\">Scan a <span class=\"hljs-built_in\">local<\/span> project including language-specific files<\/span>\r\n<span class=\"hljs-meta.prompt\">  $ <\/span><span class=\"hljs-undefined\">trivy fs \/path\/to\/your_project<\/span>\r\n<span class=\"hljs-meta.prompt\">\r\n  # <\/span><span class=\"hljs-undefined\">Scan a single file<\/span>\r\n<span class=\"hljs-meta.prompt\">  $ <\/span><span class=\"hljs-undefined\">trivy fs .\/trivy-ci-test\/Pipfile.lock\r\n<\/span><\/span><\/em><\/pre>\n<figure class=\"ox oy oz pa pb lp lh li paragraph-image\">\n<div class=\"pl pm ee pn bg po\" role=\"button\">\n<div class=\"lh li pq\"><img decoding=\"async\" loading=\"lazy\" class=\"bg kp lq c alignnone\" role=\"presentation\" src=\"https:\/\/miro.medium.com\/v2\/resize:fit:1400\/1*sm2Z6mCRbHbZOANFFUk5ag.png\" alt=\"\" width=\"700\" height=\"786\" \/><\/div>\n<\/div>\n<\/figure>\n<ul>\n<li id=\"efe7\" class=\"pw-post-body-paragraph mp mq fr mr b ms nk mu mv mw nl my mz mc nm nb nc mg nn ne nf mk no nh ni nj fk bj\">\n<h4><strong class=\"mr fs\">IAC Misconfiguration Scanning:<\/strong><\/h4>\n<\/li>\n<\/ul>\n<p id=\"ead8\" class=\"pw-post-body-paragraph mp mq fr mr b ms nk mu mv mw nl my mz mc nm nb nc mg nn ne nf mk no nh ni nj fk bj\" data-selectable-paragraph=\"\">Trivy can also scan configuration files like IaC (terraform) to detect misconfiguration.<\/p>\n<pre class=\"ox oy oz pa pb pc ns pd bo pe ba bj\"><em><span id=\"dabf\" class=\"pf ls fr ns b bf pg ph l pi pj\" data-selectable-paragraph=\"\"> trivy config <span class=\"hljs-selector-attr\">[flags]<\/span> DIR\r\n<\/span><\/em><\/pre>\n<figure class=\"ox oy oz pa pb lp lh li paragraph-image\">\n<div class=\"pl pm ee pn bg po\" role=\"button\">\n<div class=\"lh li pr\"><img decoding=\"async\" loading=\"lazy\" class=\"bg kp lq c alignnone\" role=\"presentation\" src=\"https:\/\/miro.medium.com\/v2\/resize:fit:1400\/1*YLyIfBz5o192HTsFfc0UmA.png\" alt=\"\" width=\"700\" height=\"484\" \/><\/div>\n<\/div>\n<\/figure>\n<p class=\"ox oy oz pa pb pc ns pd bo pe ba bj\">\n<div class=\"er es et eu ev l\">\n<article>\n<div class=\"l\">\n<div class=\"l\">\n<section>\n<div class=\"fk fl fm fn fo\">\n<div class=\"ab ca\">\n<div class=\"ch bg ew ex ey ez\">\n<h2 id=\"e8c5\" class=\"lr ls fr be lt lu lv lw lx ly lz ma mb mc md me mf mg mh mi mj mk ml mm mn mo bj\"><strong class=\"al\">Integration to CI-CD via GitHub Actions<\/strong><\/h2>\n<p id=\"038c\" class=\"pw-post-body-paragraph mp mq fr mr b ms mt mu mv mw mx my mz mc na nb nc mg nd ne nf mk ng nh ni nj fk bj\" data-selectable-paragraph=\"\">Vulnerability and secret scanning can be automated as part of your CI workflow, but they can fail the workflow if a vulnerability is found.<\/p>\n<figure class=\"ox oy oz pa pb lp lh li paragraph-image\">\n<div class=\"pl pm ee pn bg po\" role=\"button\">\n<div class=\"lh li ps\"><img decoding=\"async\" loading=\"lazy\" class=\"bg kp lq c\" role=\"presentation\" src=\"https:\/\/miro.medium.com\/v2\/resize:fit:1400\/0*HvLU4R8Q_8VL46UR.png\" alt=\"\" width=\"700\" height=\"317\" \/><\/div>\n<\/div><figcaption class=\"pt pu pv lh li pw px be b bf z dw\" data-selectable-paragraph=\"\">\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Trivy CI Workflow<\/figcaption><\/figure>\n<p id=\"d3ff\" class=\"pw-post-body-paragraph mp mq fr mr b ms nk mu mv mw nl my mz mc nm nb nc mg nn ne nf mk no nh ni nj fk bj\" data-selectable-paragraph=\"\">Trivy can be easily integrated into CI workflow by using its official Trivy GitHub Action. Below is detailed information check here is the\u00a0<a class=\"af nt\" href=\"https:\/\/github.com\/aquasecurity\/trivy-action\" target=\"_blank\" rel=\"noopener ugc nofollow\">Trivy GitHub Action<\/a><\/p>\n<p id=\"0ef6\" class=\"pw-post-body-paragraph mp mq fr mr b ms nk mu mv mw nl my mz mc nm nb nc mg nn ne nf mk no nh ni nj fk bj\" data-selectable-paragraph=\"\">Note: To try other options specified to Trivy, please refer to this blog post,\u00a0which describes adding Trivy to your own GitHub action workflows.<\/p>\n<h2 id=\"5b6b\" class=\"lr ls fr be lt lu lv lw lx ly lz ma mb mc md me mf mg mh mi mj mk ml mm mn mo bj\" data-selectable-paragraph=\"\">Conclusion<\/h2>\n<p id=\"cf38\" class=\"pw-post-body-paragraph mp mq fr mr b ms mt mu mv mw mx my mz mc na nb nc mg nd ne nf mk ng nh ni nj fk bj\" data-selectable-paragraph=\"\">It\u2019s evident that the above article has given a basic understanding of vulnerability scanning with Trivy. Its comprehensive customized feature attributes prove it to be a valuable tool for reinforcing the security of our clusters and environment.<\/p>\n<p class=\"pw-post-body-paragraph mp mq fr mr b ms mt mu mv mw mx my mz mc na nb nc mg nd ne nf mk ng nh ni nj fk bj\" data-selectable-paragraph=\"\">Additionally, many integrations are present with IDEs, CI tools, and many more, which are explained in the Trivy official documentation. Hence, we can finally conclude this tool has been considered a must-have tool in our CI-CD workflow for detecting security breaches. Keep following us for more insights on such topics.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/section>\n<\/div>\n<\/div>\n<\/article>\n<\/div>\n<div class=\"ap-custom-wrapper\"><\/div><!--ap-custom-wrapper-->","protected":false},"excerpt":{"rendered":"<p>&nbsp; Introduction CIS is a renowned nonprofit organization that offers recommendations for security best practices; offerings include a bunch of guidelines for configuring &amp; securely K8s clusters. Trivy\u00a0is a comprehensive container security auditing tool that brings the power of CIS (Center for Internet Security) compliance auditing to K8s clusters. Reason to Adopt Trivy? Trivy is [&hellip;]<\/p>\n","protected":false},"author":1543,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":55},"categories":[2026,4308,2348],"tags":[5777],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/61078"}],"collection":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/users\/1543"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/comments?post=61078"}],"version-history":[{"count":2,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/61078\/revisions"}],"predecessor-version":[{"id":61152,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/61078\/revisions\/61152"}],"wp:attachment":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/media?parent=61078"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/categories?post=61078"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/tags?post=61078"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}