What is Trivy?
Trivy is an open-source security vulnerability and misconfiguration scanning tool. It can scan Container images, Filesystems, Git repos and Kubernetes Cluster/Resources.
Trivy can be used in a CI/CD workflow to find out security issues in git PRs or to check main/master branch with scheduled workflow runs.
It supports table, json, sarif output formats. sarif output can be written to GitHub repo security(this needs GitHub advanced licence for private repositories)
In this quick start demo we are going to use a simple python application using Flask framework.
To demonstrate how Trivy detects vulnerabilities, we are intentionally using a Flask package which has High CVE vulnerabilities in our codebase and a python:3.5 base image which has lot of vulnerabilities.
you can clone the demo repo locally to take a closer look.
we are going to use following workflow definition(.github/workflows/trivy.yml) for Trivy security scanning as a GitHub action. This will scan git repo and container image. fs(git repo) scan results are added to GitHub Security and container image scan results are printer on screen in table format. this definition is scanning for CRITICAL and HIGH alerts.
name: trivy-scanning
on:
push:
branches: [ "master" ]
pull_request:
branches: [ "master" ]
schedule:
- cron: '41 16 * * 0'
permissions: write-all
jobs:
trivy-scanning-job:
name: trivy-sec-scan
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'HIGH,CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: 'trivy-results.sarif'
- name: Build an image from Dockerfile
run: |
docker build -t docker.io/devops-counsel/py-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'docker.io/devops-counsel/py-app:${{ github.sha }}'
format: 'table'
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'When we commit the code, GitHub actions will trigger a workflow for Trivy security scanning. see below screen shot.
You can see Container image scanning results are printed on screen in table format. see below screen shot.
fs scan results are published to GitHub repo’s Security section. see below screen shot. It has created Open issues.
Under Security tab you can see there are two alerts.
Click on “Code scanning alerts” to see the last scan results and open issues.
you can click on each alert and see details of the alert.
Once we upgrade Python package version, docker base image version and commit new code, the alert will be closed in “Code scanning alerts” section automatically.
Instead of writing ‘sarif’ output to GitHub security, we can use ‘exit-code’ to fail the workflow, like below.
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'docker.io/devops-counsel/py-app:${{ github.sha }}'
format: 'table'
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
exit-code: 1
Conclusion
In this quick demo, we have covered what is Trivy and how to use it to scan git repo and Container Image. For further information you can read official documentation.
Find out about similar Security Scanning Tools:
Security Vulnerability Scanning on GitHub code repo using CodeQL