Odds and Ends

/home

/about

/archive

/projects

/tags

/quotes

Trivy

The many layers of software dependencies within containers can add extra security considerations. Luckily there are a number of tools like Trivy and Docker scan to scan Docker images for vulnerabilities.

[Trivy is a] Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets

Trivy can be installed with the following commands on Debian-based Linux distros, including WSL environments.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# Add the Triby deb repository's GPG key
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -

# Now add the repository
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list

# Update apt sources with
sudo apt update

# Install Trivy
sudo apt install trivy

Scan an image that has been pulled or build locally with this command.

1

trivy image anaconda3:latest

Trivy has a lot of interesting options, including some useful experimental ones.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

$ trivy --help
Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets

Usage:
  trivy [global flags] command [flags] target
  trivy [command]

Examples:
  # Scan a container image
  $ trivy image python:3.4-alpine

  # Scan a container image from a tar archive
  $ trivy image --input ruby-3.1.tar

  # Scan local filesystem
  $ trivy fs .

  # Run in server mode
  $ trivy server

Available Commands:
  aws         [EXPERIMENTAL] Scan AWS account
  completion  Generate the autocompletion script for the specified shell
  config      Scan config files for misconfigurations
  filesystem  Scan local filesystem
  help        Help about any command
  image       Scan a container image
  kubernetes  [EXPERIMENTAL] Scan kubernetes cluster
  module      Manage modules
  plugin      Manage plugins
  repository  Scan a remote repository
  rootfs      Scan rootfs
  sbom        Scan SBOM for vulnerabilities
  server      Server mode
  version     Print the version
  vm          [EXPERIMENTAL] Scan a virtual machine image

Flags:
      --cache-dir string          cache directory (default "/home/alex/.cache/trivy")
  -c, --config string             config path (default "trivy.yaml")
  -d, --debug                     debug mode
  -f, --format string             version format (json)
      --generate-default-config   write the default config to trivy-default.yaml
  -h, --help                      help for trivy
      --insecure                  allow insecure server connections when using TLS
  -q, --quiet                     suppress progress bar and log output
      --timeout duration          timeout (default 5m0s)
  -v, --version                   show version

Use "trivy [command] --help" for more information about a command.
Data Catalog From Filesystem
MDAL
back to top