Trivy Detects Vulnerabilities When Integrated With CI Builds

Trivy Detects Vulnerabilities When Integrated With CI Builds

Many of us have started building and deploying applications using Docker containers. We’ll be using Trivy — a simple and comprehensive vulnerability scanner for containers, suitable for CI.

Many of us have started building and deploying applications using Docker containers. In my previous piece, I talked about how to convert a simple Spring Boot application into a Docker container without writing the Dockerfile.

Now that we know how to build the Docker images, we need to make sure to scan the images for known vulnerabilities.

There are various open-source (Quay, Clair, etc.) and registry-specific vulnerability scanners (Docker Hub, GCR, etc.) on the market. The open-source ones have some limited capabilities, while registry-specific scanners are tightly coupled with their respective registry usage. Docker Hub registries don’t even scan any nonofficial images — making it worse.

Introducing Trivy

Trivy is a simple and comprehensive vulnerability scanner for containers. Trivy detects vulnerabilities in OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.).

For me, the biggest advantage it gives is the feature to integrate with CI builds. You can take look at their GitHub page on installation instructions for various platforms.

Integrating With AzureDevOps CI

For this tutorial, I have a sample Spring Boot application, that continued from my previous piece, which generates a Docker image of a Java application and pushes that to the Docker Hub registry.

So my first build task looks pretty simple:

Next, I have added a task that downloads the Trivy Docker image and runs a scan on the image that got built as part of this build.

Here’s the first command I’m running:

docker run --rm -v $HOME:/root/.cache/ aquasec/trivy --exit-code 0 --severity MEDIUM,HIGH --ignore-unfixed tanmaydeshpande/hello-jib:$(Build.SourceVersion)

This will download the specified Docker image from the registry and scan it for MEDIUM and HIGH vulnerabilities. If any vulnerabilities are found, then it will print the details. But this won’t fail the build since we have set the Exit Code to 0 .

The next command we have is:

docker run --rm -v $HOME:/root/.cache/ aquasec/trivy --exit-code 1 --severity CRITICAL --ignore-unfixed tanmaydeshpande/hello-jib:$(Build.SourceVersion)

This will scan the image for CRITICAL vulnerabilities, and since the Exit Code is 1 , it’ll fail the build.

I have also added one flag: --ingore-unfixed. By default, Trivy also detects unpatched/unfixed vulnerabilities. This means you can't fix these vulnerabilities even if you update all of the packages. So take a cautious call on this flag.

When I ran my build without this flag, I got an output like this:

Now based on the built result, you can decide if you’re fine with deploying the image into your environment or not.

Licensing

acqusecurity/trivy is licensed under the GNU Affero General Public License v3.0. Hence, you can:

WordPress in Docker. Part 1: Dockerization

WordPress in Docker. Part 1: Dockerization

This entry-level guide will tell you why and how to Dockerize your WordPress projects.

This entry-level guide will tell you why and how to Dockerize your WordPress projects.

List all containers in Docker(Docker command)

List all containers in Docker(Docker command)

We can get a list of all containers in docker using `docker container list` or `docker ps` commands.

We can get a list of all containers in docker using docker container list or docker ps commands.

List Docker Containers

To list down docker containers we can use below two commands

  • docker container list
  • docker ps

docker container ls command introduced in docker 1.13 version. In older versions we have to use docker ps command.

List all Containers in docker, using docker ls command

The below command returns a list of all containers in docker.

docker container list -all

or

docker container ls -all

List all containers in docker, using docker ps command

In older version of docker we can use docker ps command to list all containers in docker.

$ docker ps -all

or

$ docker ps -a

List all Running docker containers

The default docker container ls command shows all running docker containers.

$ docker container list

or

$ docker container ls

or

To get list of all running docker containers use the below command

$ docker ps

List all stopped docker containers command

To get list of all stopped containers in docker use the below commands

$ docker container list -f "status=exited"

or

$ docker container ls -f "status=exited"

or you can use docker ps command

$ docker ps -f "status=exited"

List all latest created docker containers

To list out all latest created containers in docker use the below command.

$ docker container list --latest

Show n last created docker containers

To display n last created containers in docker use the below command.

$ docker container list --last=n

Guide to Python Programming Language

Guide to Python Programming Language

Guide to Python Programming Language

Description
The course will lead you from beginning level to advance in Python Programming Language. You do not need any prior knowledge on Python or any programming language or even programming to join the course and become an expert on the topic.

The course is begin continuously developing by adding lectures regularly.

Please see the Promo and free sample video to get to know more.

Hope you will enjoy it.

Basic knowledge
An Enthusiast Mind
A Computer
Basic Knowledge To Use Computer
Internet Connection
What will you learn
Will Be Expert On Python Programming Language
Build Application On Python Programming Language