Trivy Detects Vulnerabilities When Integrated With CI Builds

Trivy Detects Vulnerabilities When Integrated With CI Builds

Many of us have started building and deploying applications using Docker containers. We’ll be using Trivy — a simple and comprehensive vulnerability scanner for containers, suitable for CI.

Many of us have started building and deploying applications using Docker containers. In my previous piece, I talked about how to convert a simple Spring Boot application into a Docker container without writing the Dockerfile.

Now that we know how to build the Docker images, we need to make sure to scan the images for known vulnerabilities.

There are various open-source (Quay, Clair, etc.) and registry-specific vulnerability scanners (Docker Hub, GCR, etc.) on the market. The open-source ones have some limited capabilities, while registry-specific scanners are tightly coupled with their respective registry usage. Docker Hub registries don’t even scan any nonofficial images — making it worse.

Introducing Trivy

Trivy is a simple and comprehensive vulnerability scanner for containers. Trivy detects vulnerabilities in OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.).

For me, the biggest advantage it gives is the feature to integrate with CI builds. You can take look at their GitHub page on installation instructions for various platforms.

Integrating With AzureDevOps CI

For this tutorial, I have a sample Spring Boot application, that continued from my previous piece, which generates a Docker image of a Java application and pushes that to the Docker Hub registry.

So my first build task looks pretty simple:

AzureDevOps CI

Next, I have added a task that downloads the Trivy Docker image and runs a scan on the image that got built as part of this build.

AzureDevOps CI

Here’s the first command I’m running:

docker run --rm -v $HOME:/root/.cache/ aquasec/trivy --exit-code 0 --severity MEDIUM,HIGH --ignore-unfixed tanmaydeshpande/hello-jib:$(Build.SourceVersion)

This will download the specified Docker image from the registry and scan it for MEDIUM and HIGH vulnerabilities. If any vulnerabilities are found, then it will print the details. But this won’t fail the build since we have set the Exit Code to 0 .

The next command we have is:

docker run --rm -v $HOME:/root/.cache/ aquasec/trivy --exit-code 1 --severity CRITICAL --ignore-unfixed tanmaydeshpande/hello-jib:$(Build.SourceVersion)

This will scan the image for CRITICAL vulnerabilities, and since the Exit Code is 1 , it’ll fail the build.

I have also added one flag: --ingore-unfixed. By default, Trivy also detects unpatched/unfixed vulnerabilities. This means you can't fix these vulnerabilities even if you update all of the packages. So take a cautious call on this flag.

When I ran my build without this flag, I got an output like this:

output

Now based on the built result, you can decide if you’re fine with deploying the image into your environment or not.

Licensing

acqusecurity/trivy is licensed under the GNU Affero General Public License v3.0. Hence, you can:

Licensing

docker programming

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

Docker Explained: Docker Architecture | Docker Registries

Following the second video about Docker basics, in this video, I explain Docker architecture and explain the different building blocks of the docker engine; docker client, API, Docker Daemon. I also explain what a docker registry is and I finish the video with a demo explaining and illustrating how to use Docker hub.

Docker Tutorial for Beginners 8 - Build and Run C++ Applications in a Docker Container

Welcome to this on Docker Tutorial for Beginners. In this video provides an Introduction on C++ development with Docker containers. So we will see How to ship C++ Programs in Docker.

WordPress in Docker. Part 1: Dockerization

This entry-level guide will tell you why and how to Dockerize your WordPress projects.

Docker manifest - A peek into image's manifest.json files

The docker manifest command does not work independently to perform any action. In order to work with the docker manifest or manifest list, we use sub-commands along with it. This manifest sub-command can enable us to interact with the image manifests. Furthermore, it also gives information about the OS and the architecture, that a particular image was built for. The image manifest provides a configuration and a set of layers for a container image. This is an experimenta

The Essential Docker, Dockerfile, and Docker Compose Cheat Sheet

Docker has become an essential tool for every software developer. If you haven’t yet heard about Docker, it’s a free, powerful, and reliable tool for creating and deploying containers, available for Linux, macOS, and Windows.