Trivy for Engineers: Finding Vulnerabilities in Go, Docker, and Kubernetes
Trivy helps you ensure the security of your software supply chain from a developer's perspective. It can be integrated into your CI/CD pipeline to automatically scan your code and container images for security issues before they are deployed. This "shift-left" approach allows you to catch and fix problems early, which is more efficient and cost-effective than finding them in production.
Trivy's key features and how they are useful
Vulnerability Scanning
Trivy can scan container images and file systems for known vulnerabilities. It checks against multiple vulnerability databases, providing you with a list of CVEs (Common Vulnerabilities and Exposures) and their severity.
Misconfiguration Detection
It can scan IaC (Infrastructure as Code) files like Terraform, Kubernetes manifests, and Dockerfiles to detect misconfigurations that could lead to security risks. For example, it can flag a Kubernetes service that's configured to be publicly accessible when it shouldn't be.
Secret Detection
Trivy can find hardcoded secrets, such as API keys and passwords, in your code and container images. This is crucial because accidentally committing secrets to a repository is a common security blunder.
SBOM (Software Bill of Materials) Generation
An SBOM is a list of all components in your software. Trivy can generate an SBOM for your container images, which is useful for compliance and understanding your application's dependencies.
The easiest way to install Trivy is using your system's package manager.
macOS
brew install trivy
Linux
Check the official Trivy documentation for the appropriate package manager command for your distribution.
Docker
You can also use Trivy as a Docker image without installing it on your machine
docker run aquasec/trivy [command]
If you're a Go developer, you can use Trivy to scan your project's dependencies for vulnerabilities.
Example
Navigate to your Go project's root directory.
Run the following command
trivy fs .
This command scans the file system, including your go.mod and go.sum files, and provides a report of any vulnerabilities found in your dependencies.
This is one of the most common use cases for Trivy. You can scan a Docker image directly.
Example
Pull a vulnerable image from Docker Hub, for example, a version of nginx with known issues.
docker pull nginx:1.14.2
Scan the image with Trivy
trivy image nginx:1.14.2
The output will show a list of vulnerabilities with their severity, package, and a link to the CVE details.
Trivy can scan your Kubernetes cluster to check for misconfigurations and vulnerabilities in deployed images.
Example
Scan the workloads running in your cluster.
trivy k8s cluster
This command will scan all pods, deployments, and other resources in your cluster and report on any security issues.
Scan a specific namespace
trivy k8s --namespace default
This narrows the scan down to a single namespace.
Integrating Trivy into your CI/CD pipeline is where its real power shines. You can add a step to your build process that automatically runs a Trivy scan. If the scan finds critical vulnerabilities, you can configure the pipeline to fail the build, preventing insecure code from being deployed.
Example (GitHub Actions)
You can add a step to your GitHub Actions workflow YAML file like this
name: CI
on:
push:
branches:
- main
jobs:
build-and-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Build Docker Image
run: docker build -t my-app .
- name: Run Trivy Scan
uses: aquasecurity/trivy-action@master
with:
image-ref: 'my-app'
format: 'table'
output: 'trivy-results.txt'
exit-code: '1' # Fails the workflow if vulnerabilities are found
severity: 'CRITICAL,HIGH' # Only checks for critical and high severity issues