What is Trivy?
Trivy is a comprehensive, open-source vulnerability scanner for containers and other artifacts. It's designed to detect vulnerabilities in container images, file systems, and git repositories, as well as to identify misconfigurations in Kubernetes, Terraform, and other IaC files. Developed by Aqua Security, Trivy is known for its ease of use, speed, and accuracy.
Key Features
- Container Image Scanning: Detects vulnerabilities in OS packages (Alpine, RHEL, CentOS, etc.) and language-specific dependencies (Bundler, Composer, npm, yarn, etc.).
- Filesystem Scanning: Scans local directories for vulnerabilities in project dependencies.
- Git Repository Scanning: Scans remote git repositories for vulnerabilities.
- Infrastructure as Code Scanning: Detects misconfigurations in Kubernetes, Docker, Terraform, CloudFormation, and more.
- CI/CD Integration: Easily integrates with CI/CD tools like GitHub Actions, GitLab CI, CircleCI, and more.
- Fast and Accurate: Provides quick scanning with low false positives.
Integration with DevOps Pipeline
Trivy can be integrated into your DevOps pipeline to automatically scan your container images and other artifacts for vulnerabilities. Here's how you can integrate Trivy into your pipeline:
1. GitHub Actions Integration
Add Trivy scanning to your GitHub Actions workflow to scan container images before deployment.
name: Build and Scan
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
build-and-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Build an image from Dockerfile
run: |
docker build -t my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'my-app:${{ github.sha }}'
format: 'table'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'2. GitLab CI Integration
Add Trivy scanning to your GitLab CI pipeline to scan container images.
stages:
- build
- scan
- deploy
build:
stage: build
script:
- docker build -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA .
- docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
trivy-scan:
stage: scan
image:
name: aquasec/trivy:latest
entrypoint: [""]
script:
- trivy image --exit-code 1 --severity HIGH,CRITICAL $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
deploy:
stage: deploy
script:
- echo "Deploying application..."
only:
- main3. Jenkins Integration
Add Trivy scanning to your Jenkins pipeline to scan container images.
pipeline {
agent any
stages {
stage('Build') {
steps {
sh 'docker build -t my-app:${BUILD_NUMBER} .'
}
}
stage('Scan') {
steps {
sh 'trivy image --exit-code 1 --severity HIGH,CRITICAL my-app:${BUILD_NUMBER}'
}
}
stage('Deploy') {
when {
branch 'main'
}
steps {
echo 'Deploying application...'
}
}
}
}Best Practices
- Scan container images as part of your CI/CD pipeline before deploying to production.
- Set appropriate severity thresholds based on your organization's risk tolerance.
- Regularly update Trivy to ensure you have the latest vulnerability database.
- Implement a process for addressing vulnerabilities found by Trivy.
- Consider using Trivy's ignore file to manage false positives or vulnerabilities that cannot be fixed immediately.
- Integrate Trivy results with your vulnerability management system for tracking and reporting.
Conclusion
Trivy is a powerful, easy-to-use vulnerability scanner that can help you identify and address security issues in your container images and other artifacts. By integrating Trivy into your DevOps pipeline, you can ensure that your applications are secure before they reach production.