Working with containers has become one of the standard tasks of administrators. However, in addition to the pure operation of containers, it is also important to take care of their security – a discipline that is sometimes neglected in the relatively new container technology. The open source tool Trivy provides information on container and software security.
Trivy [1] is provided by the Israeli company Aqua Security as an open source tool and scans file systems, Git repositories and Kubernetes clusters and resources in addition to the security of container images. The software can also find OS packages and software dependencies (also known as software bills of material), known vulnerabilities (CVEs), infrastructure-as-code misconfigurations as well as sensitive information and passwords.
Installation
The installation of Trivy supports all common Linux distributions as well as macOS. Alternatively, Trivy can be operated as a container. Detailed installation instructions can also be found at [1]. When installing under Debian/Ubuntu, the scanner is set up as follows:
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO -https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add –
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
Introduction to security scans
As soon as the installation is complete, you can start scanning. We will show this using the well-known nginx image as an example. First we download the image…
