If you’re looking for a simple and comprehensive vulnerability scanner for your containers then Trivy is the best choice. In this post, we see how to scan a sample image & its key features.
Key Features :
- Detect comprehensive vulnerabilities for most of the OS packages like Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless and Application dependencies such as Bundler, Composer, Pipenv, Poetry, npm, yarn and Cargo
- Scanning is quick (1st scan might complete in less than 10 secs) and simple to use, just enter the image name and get results
- Suitable for CI pipelines such as Travis CI, CircleCI, Jenkins, GitLab CI, etc.
- Supports multiple formats like local image, a remote image in docker registry, image saved as tar file or OCI image format. Filesystem and Remote git repository is also supported.
Here’s a comparison with other scanners
|Easy to use||Accuracy||Suitable
|⭐ ⭐ ⭐||⭐ ⭐ ⭐||⭐ ⭐ ⭐|
|Clair||✅||×||⭐||⭐ ⭐||⭐ ⭐|
|⭐ ⭐||⭐ ⭐||⭐ ⭐ ⭐|
|Quay||✅||×||⭐ ⭐ ⭐||⭐ ⭐||×|
|Docker Hub||✅||×||⭐ ⭐ ⭐||⭐||×|
|GCR||✅||×||⭐ ⭐ ⭐||⭐ ⭐||×|
In the next section, we take look at how to scan a sample image for vulnerabilities.
Step #1.Install Trivy
I’m using Ubuntu, following is the script will install Trivy for me. For other distros, please do check here.
$ sudo apt-get install wget apt-transport-https gnupg lsb-release $ wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - $ echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list $ sudo apt-get update $ sudo apt-get install trivy
Now that Trivy installation completed, Next step we can scan a sample image and check vulnerabilities.
Step #2.Detect vulnerabilities
trivy image [IMAGE_NAME] to initiate scanning and getting vulnerabilities here in this example I have used
httpd image. As you can see there are a total of 332 vulnerabilities with varying severities.
You can also filter the vulnerabilities by severities with
To save the results as JSON,use
There are many options/examples, you can check out all of them here.
Like this post? Don’t forget to share it!
Additional Resources :
- Implementing secure containers using gVisor+Docker tutorial
- Secure Coding Practices Specialization by UC Davis
- Implementing Policies in Kubernetes
- Using Docker Application Packages to Deliver Apps across Teams
- Get Job Ready with Professional Certificates from Coursera