{"id":281712,"date":"2021-06-23T15:00:21","date_gmt":"2021-06-23T12:00:21","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-to-use-trivy-to-find-vulnerabilities-in-docker-containers-cloudsavvy-it\/"},"modified":"2021-06-23T15:00:21","modified_gmt":"2021-06-23T12:00:21","slug":"how-to-use-trivy-to-find-vulnerabilities-in-docker-containers-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-to-use-trivy-to-find-vulnerabilities-in-docker-containers-cloudsavvy-it\/","title":{"rendered":"#How to Use Trivy to Find Vulnerabilities in Docker Containers \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a3a1c690910c\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a3a1c690910c\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-trivy-to-find-vulnerabilities-in-docker-containers-cloudsavvy-it\/#Installing_Trivy\" >Installing Trivy<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-trivy-to-find-vulnerabilities-in-docker-containers-cloudsavvy-it\/#First_Run\" >First Run<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-trivy-to-find-vulnerabilities-in-docker-containers-cloudsavvy-it\/#Reducing_the_Noise\" >Reducing the Noise<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-trivy-to-find-vulnerabilities-in-docker-containers-cloudsavvy-it\/#Filtering_Vulnerabilities\" >Filtering Vulnerabilities<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-trivy-to-find-vulnerabilities-in-docker-containers-cloudsavvy-it\/#Using_Trivy_In_CI\" >Using Trivy In CI<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-trivy-to-find-vulnerabilities-in-docker-containers-cloudsavvy-it\/#Server_Mode\" >Server Mode<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-trivy-to-find-vulnerabilities-in-docker-containers-cloudsavvy-it\/#Summary\" >Summary<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#How to Use Trivy to Find Vulnerabilities in Docker Containers \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage aligncenter size-full wp-image-12028\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/06\/71c21294.jpg?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Trivy logo\" width=\"1602\" height=\"902\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>A Trivy scan inspects your Dockerfile\u2019s base image to find unresolved vulnerabilities that your containers will inherit. Trivy can also look at operating system packages and source code dependencies added via popular package managers.<\/p>\n<p>Trivy has three scan types: container, Git repository, and filesystem directory. We\u2019re focusing on container scans in this article. The <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/aquasecurity\/trivy\">Trivy docs<\/a> provide more information on how you can analyze your source code and its environment.<\/p>\n<h2 id=\"installing-trivy\"><span class=\"ez-toc-section\" id=\"Installing_Trivy\"><\/span>Installing Trivy<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Trivy\u2019s available on most popular Linux distributions. You might need to add the developer\u2019s repository. You can find the right link for your distribution <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/aquasecurity.github.io\/trivy\/v0.18.3\/installation\">in the Trivy docs<\/a>.<\/p>\n<p>If you\u2019d prefer to use a specific version, you can <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">download<\/a> a binary from the project\u2019s <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/aquasecurity\/trivy\">GitHub releases<\/a> page. There\u2019s also an <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/aquasecurity.github.io\/trivy\/v0.18.3\/installation\/#install-script\">automated install script<\/a> that will download the appropriate binary for your operating system.<\/p>\n<p>Finally, Trivy\u2019s got its own Docker image which you can use instead of bare-metal installation:<\/p>\n<pre><code>docker run --rm -v trivy-cache:\/root\/.cache\/ -v \/var\/run\/docker.sock:\/var\/run\/docker.sock aquasec\/trivy:latest<\/code><\/pre>\n<p>This command binds your <code>trivy-cache<\/code> directory to the Trivy container\u2019s cache path. This improves performance by allowing Trivy to cache data outside of Docker between scans.<\/p>\n<p>Your host\u2019s Docker socket also gets mounted into the container. This lets Trivy scan other containers running on the host. Now you\u2019re ready to start finding vulnerabilities.<\/p>\n<h2 id=\"first-run\"><span class=\"ez-toc-section\" id=\"First_Run\"><\/span>First Run<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Trivy\u2019s container engine supports local and remote images. It works with Docker, Podman, exported image archives (<code>docker save<\/code>) and images in registries such as Docker Hub and GitHub Container Registry.<\/p>\n<p>You can start a basic scan using the <code>trivy image<\/code> command. This accepts an image tag.<\/p>\n<pre><code>trivy image my-image:latest<\/code><\/pre>\n<p>Trivy will download its vulnerability database on the first run. The database will be cached and reused for future scans.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-12030\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/06\/3ea5f5d3.jpg?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Screnshot of a Trivy report\" width=\"1332\" height=\"688\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Scan results are emitted straight to your terminal. The summary at the top shows the detected container operating system and a breakdown of found vulnerabilities by severity. The table provides a full list of issues, including the library each one was found in, a description, and a CVE ID when available.<\/p>\n<h2 id=\"reducing-the-noise\"><span class=\"ez-toc-section\" id=\"Reducing_the_Noise\"><\/span>Reducing the Noise<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Trivy supports several flags to let you customize its output. It will default to showing all detected vulnerabilities if no flags are present. This could include vulnerabilities that haven\u2019t been patched in the upstream project.<\/p>\n<p>You can exclude unfixed issues by adding the <code>--ignore-unfixed<\/code> flag. This reduces the noise by hiding problems that you won\u2019t be able to resolve.<\/p>\n<pre><code>trivy image --ignore-unfixed my-image:latest<\/code><\/pre>\n<p>Sometimes you might want to intentionally accept a vulnerability. Not all issues impact all projects equally. If you\u2019re not affected, or you\u2019re willing to take the risk, Trivy will let you omit specific CVE IDs from your scans.<\/p>\n<p>Add a <code>.trivyignore<\/code> file to your working directory. Enter a list of CVE IDs, one on each line. Trivy will find and use the file when you run a scan. CVEs that are present in <code>.trivyignore<\/code> won\u2019t show up in the scan output. It\u2019s a good idea to add a comment to each CVE you exclude; this ensures other contributors are informed why the risk has been accepted.<\/p>\n<pre><code># .trivyignore&#13;\n# This issue is not relevant to our usage&#13;\nCVE-2021-1234<\/code><\/pre>\n<h2 id=\"filtering-vulnerabilities\"><span class=\"ez-toc-section\" id=\"Filtering_Vulnerabilities\"><\/span>Filtering Vulnerabilities<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>You can filter to show vulnerabilities of a particular type using the <code>--vuln-type<\/code> flag. This accepts either <code>library<\/code> or <code>os<\/code> as a value.<\/p>\n<p>Using <code>library<\/code> will reveal issues arising from programming language dependencies. The <code>os<\/code> option scopes the scan to operating system packages.<\/p>\n<p>You can also filter by vulnerability severity. This helps you focus on the issues that matter by hiding relatively insignificant vulnerabilities. Pass in a comma-separated list of <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.first.org\/cvss\/specification-document\">CVSS severity levels<\/a> to include:<\/p>\n<pre><code>trivy image --severity MEDIUM,HIGH,CRITICAL my-image:latest<\/code><\/pre>\n<p>Now any \u201clow\u201d severity problems will be omitted from the report.<\/p>\n<p>Trivy defaults to a visual table designed for human consumption in a terminal. You can get machine-parsable JSON instead by adding <code>--format json<\/code>.<\/p>\n<p>There\u2019s also support for customized output styles using templates. Several templates are included, such as <code>xml<\/code> and <code>html<\/code>:<\/p>\n<pre><code>trivy image --format template @contrib\/html.tpl -o scan.html my-image:latest<\/code><\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-12029\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/06\/bd64f999.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"1266\" height=\"656\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>This scan will produce an HTML report saved to <code>scan.html<\/code>. Graphical reports can be quicker to read and easier to share, especially when many issues are found.<\/p>\n<h2 id=\"using-trivy-in-ci\"><span class=\"ez-toc-section\" id=\"Using_Trivy_In_CI\"><\/span>Using Trivy In CI<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>You can easily incorporate Trivy into your CI scripts. Beware that the exit code is always <code>0<\/code> by default, even if vulnerabilities are found. Add the <code>--exit-code 1<\/code> flag to make Trivy exit with a non-zero code if issues are present.<\/p>\n<p>You\u2019ve got multiple options to get Trivy into your builds. Official <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/aquasecurity.github.io\/trivy\/v0.18.3\/integrations\">integration patterns<\/a> are available for popular CI providers including GitHub, GitLab, Travis, and CircleCI.<\/p>\n<p>When you build images within your pipeline, you can either run Trivy on the final build output or use the tool <em>within<\/em> the container. Docker\u2019s multi-stage builds let you reference the Trivy image and abort the build if a scan fails. Make sure you use the <code>filesystem<\/code> mode instead of <code>image<\/code>, as you\u2019re scanning the running container from the inside.<\/p>\n<pre class=\"dockerfile\"><code>COPY --from=aquasec\/trivy:latest \/usr\/local\/bin\/trivy \/usr\/local\/bin\/trivy&#13;\nRUN trivy filesystem --exit-code 1 --no-progress \/<\/code><\/pre>\n<p>It\u2019s usually best to run Trivy near the end of your <code>Dockerfile<\/code>, after all your software dependencies are installed. Run <code>rm \/usr\/local\/bin\/trivy<\/code> afterward to reduce the size of your final image.<\/p>\n<h2 id=\"server-mode\"><span class=\"ez-toc-section\" id=\"Server_Mode\"><\/span>Server Mode<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Trivy can run in client-server mode. This moves the vulnerability database to the server, so clients don\u2019t need to maintain their own versions.<\/p>\n<p>Trivy binaries come with server mode built-in. Run <code>trivy server<\/code> to start a server instance on your machine. The default port is <code>4594<\/code>; you can change this by adding <code>--listen localhost:8080<\/code> and specifying the chosen port.<\/p>\n<p>The server will download the vulnerability database when it starts. It\u2019ll check for updates in the background and automatically pull new versions.<\/p>\n<p>You connect a Trivy client to your server using <code>trivy client<\/code>:<\/p>\n<pre><code>trivy client --remote http:\/\/localhost:8080 image my-image:latest<\/code><\/pre>\n<p>If you need authentication, add a <code>--token<\/code> flag to the server and the client commands. The server will only accept new clients if they present the correct token.<\/p>\n<h2 id=\"summary\"><span class=\"ez-toc-section\" id=\"Summary\"><\/span>Summary<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Using Trivy to scan your Docker containers helps you find vulnerabilities before they become an issue in production. You can be more confident in your containers by regularly checking for outdated OS packages and programming language dependencies.<\/p>\n<p>Trivy acquires its vulnerability lists from several different sources. Some of those <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/aquasecurity.github.io\/trivy\/v0.18.3\/vuln-detection\/data-source\">sources<\/a> specify non-commercial use only, so you should <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/aquasecurity\/trivy\">check<\/a>\u00a0that your project\u2019s compliant before you add Trivy to your builds.\n<\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/12027\/how-to-use-trivy-to-find-vulnerabilities-in-docker-containers\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#How to Use Trivy to Find Vulnerabilities in Docker Containers \u2013 CloudSavvy IT&#8221; A Trivy scan inspects your Dockerfile\u2019s base image to find unresolved vulnerabilities that your containers will inherit. Trivy can also look at operating system packages and source code dependencies added via popular package managers. Trivy has three scan types: container, Git repository,&#8230;<\/p>\n","protected":false},"author":1,"featured_media":281713,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/06\/71c21294.jpg","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-281712","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/281712","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=281712"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/281712\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/281713"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=281712"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=281712"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=281712"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}