vuln_scanning

Home

Vulnerability Scanning for Docker Images with Trivy

This guide introduces Trivy, a comprehensive and easy-to-use vulnerability scanner for container images, filesystems, and Git repositories. We will cover its installation and a practical lab to compare vulnerabilities in different base Docker images.

1. Prerequisites

  1. Docker Installed: Ensure Docker is installed and operational on your system.

    docker -v

    If not installed, you can typically install it using: curl -fsSL https://get.docker.com | sh

2. Trivy (Aqua Security)

Trivy is an open-source vulnerability scanner by Aqua Security.Project Repository: https://github.com/aquasecurity/trivy

2.1 Installation (Debian/Ubuntu)

The following steps describe how to install Trivy using its apt repository.

  1. Install prerequisite packages:

    sudo apt-get update
sudo apt-get install -y wget apt-transport-https gnupg lsb-release

  2. Add Trivy's GPG key and repository:Note on apt-key: The apt-key add command is deprecated on many modern Linux systems. While these commands might still work, future OS versions may require adapting the key addition method (e.g., by downloading the key to /etc/apt/keyrings/ and adjusting the repository line).

    wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/trivy.list

  3. Update package lists and install Trivy:

    sudo apt-get update
sudo apt-get install -y trivy

    Note from original document: "You might need to run the above (apt-get update and install trivy) twice if one of the apt-get commands does something unexpected." (This is unusual but kept as per original advice).

2.2 Basic Usage

  1. View Help Information:

  2. Key Parameters:

    • -s SEVERITY or --severity SEVERITY: Filter vulnerabilities by severity (e.g., CRITICAL, HIGH, MEDIUM, LOW, UNKNOWN). You can provide a comma-separated list.

    • --ignore-unfixed: Suppress reporting vulnerabilities that do not currently have fixes available from the OS vendor or language package manager.

    • --output FILE: Save results to a file.

    • --format FORMAT: Output format (e.g., table, json, sarif, template).

3. Lab: Comparing Base Image Vulnerabilities

This lab explores vulnerability counts in different common base Docker images. The findings are based on the vulnerability database state at the time of scanning and the specific image tags used.

The PythonSpeed article "Choosing the best base image for your Python Docker images" (from 2019, mentioned in the original document) discussed base image choices. Let's scan some of those mentioned and others.

(Note: The image tags used, e.g., ubuntu:18.04, centos:7.6.1810, debian:10.2-slim, alpine:3.11, are older. Results will differ significantly with newer tags or at different times. This lab demonstrates the process.)

3.1 Scanning ubuntu:18.04

  1. Get a summary (total vulnerabilities):

  2. View the full list of vulnerabilities:

  3. Filter for CRITICAL, unfixed vulnerabilities:

3.2 Scanning centos:7.6.1810 and debian:10.2-slim

Repeat similar steps for other base images. The commands are provided below for convenience.

  1. CentOS 7.6.1810 Summary:

  2. Debian 10.2-slim Summary:

    You can also run full scans or filtered scans as shown for Ubuntu.

Question: Based on the summary counts from these older images, which base image would you choose at a glance for minimizing vulnerabilities? (Remember, always use current, supported tags in practice).

3.3 Comparing with Alpine Images

Alpine Linux is known for its small size, which often correlates with a smaller attack surface.

  1. Scan alpine:3.11 (an older Alpine version):

  2. Scan a dedicated Python-on-Alpine image: Example from João Ferreira Loff (jfloff/alpine-python).

Important Considerations:

  • Be specific with tags! Using :latest or non-specific tags can lead to misleading or inconsistent results, especially if local caching provides an older version of :latest. Always scan the exact image tag you intend to use.

  • Vulnerability databases are updated frequently. Results for the same image can change over time.

  • The number of vulnerabilities is only one aspect. Consider severity, fix availability, and whether vulnerabilities are in packages your application actually uses.

Home

Previousvuln_misconfig_scanning_k8sNextexamples

Last updated