Balraj Singh's blog

What is Trivy and how do you use it?

Balraj Singh's photo
Balraj Singh
·

4 min read

About Trivy:

Trivy, developed by Aqua Security, is an open-source vulnerability scanner specifically designed for container images. It stands out for its ease of use, efficiency, and comprehensive scanning capabilities. Trivy is a valuable tool for developers and operations teams who aim to maintain secure containerized environments by identifying vulnerabilities and misconfigurations.

Use Cases for Trivy:

  • Early Detection of Vulnerabilities: By integrating Trivy into CI/CD pipelines, organizations can detect vulnerabilities in container images at the earliest possible stage. This helps in maintaining a robust security posture and reduces the cost and effort required to address vulnerabilities later in the lifecycle.

  • Compliance and Auditing: Trivy’s comprehensive scanning capabilities help organizations adhere to security policies and regulatory requirements. It provides detailed reports on vulnerabilities, which are essential for auditing and compliance purposes.

  • Securing Container Registries: Scanning images in container registries ensures that only secure and compliant images are available for deployment. This minimizes the risk of deploying vulnerable images to production environments.

  • Runtime Security: In Kubernetes environments, Trivy can continuously monitor running containers for vulnerabilities, ensuring that any newly discovered vulnerabilities are promptly identified and addressed.

Benefits of Using Trivy:

  • Ease of Use: Trivy is designed with simplicity, making integrating into various workflows easy. It requires minimal configuration and can be used with a single command, making it accessible to developers and security teams alike.

  • Comprehensive Scanning: Trivy performs thorough scans of container images, including operating system packages and application dependencies. It covers a wide range of vulnerabilities, providing a comprehensive security assessment.

  • Speed and Efficiency: Trivy is optimized for speed, allowing for quick scans without compromising accuracy. This is crucial in CI/CD environments where speed and efficiency are paramount.

  • Open Source and Community Support: As an open-source tool, Trivy benefits from a vibrant community that contributes to its development and maintenance. This ensures continuous improvement and up-to-date vulnerability databases.

  • Integration Capabilities: Trivy integrates seamlessly with popular CI/CD tools, container registries, and Kubernetes, providing flexibility and ease of adoption in various environments.

How I set in my Project:

Environment Setup:

Host NameIP AddressOS
trivy192.168.1.60Ubuntu 24.04 LTS

Note--> Will install jenkins on the same machine as the plug-in is not available for trivy

How to install it:

Ref Link

sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update -y
sudo apt-get install trivy -y
  • will use the repo and will clone it on trivy machine: git clone https://github.com/mrbalraj007/Boardgame.git

Boardgame folder is created and will scan it.

will run the following command:

trivy fs .

To properly set the outcome in the report

trivy fs --format table -o trivy-fsreport.html .

Install docker

  • Will install the docker on the same trivy machine and will the permission as below
sudo apt  install docker.io -y

# To change the ownership to current user
sudo chown $USER /var/run/docker.sock

# Add your user to the Docker group:
sudo usermod -aG docker $USER

Verify Docker version

docker --version
Docker version 24.0.7, build 24.0.7-0ubuntu4
  • Will pull the image and will scan it: image=sonarqube:lts-community
docker pull sonarqube:lts-community

Now, We will scan the docker image.

  • Will scan the docker image:
trivy image --format table -o trivy-image-report.html sonarqube:lts-community

Using Jenkins:

  • configure the maven first.

Dashboard > Manage Jenkins> Tools:

click on Add under Maven installations.

name: maven3
Version: 3.9.8

will use Jenkins on the same server and create a declarative pipeline.

  • Here we have scanned the FS only
pipeline {
    agent any
    tools {
        maven 'maven3'
          } 
    stages {
        stage('Git CheckOut') {
            steps {
                git branch: 'main', url: 'https://github.com/mrbalraj007/Boardgame.git'
            }
        }
    stage('Compile and Test') {
            steps {
                sh 'mvn test'
            }
        } 
    stage('Trivy FS Scan') {
            steps {
                sh 'trivy fs --format table -o trivy-fsreport.html .'
            }
        }
    }
}

  • ```bash pipeline { agent any tools { maven 'maven3' } stages { stage('Git CheckOut') { steps { git branch: 'main', url: 'github.com/mrbalraj007/Boardgame.git' } } stage('Compile and Test') { steps { sh 'mvn test' } } stage('Trivy FS Scan') { steps { sh 'trivy fs --format table -o trivy-fsreport.html .' } } } } ```

  • Pipeline has been executed successfully.

  • output generated in the workspace.

  • Here we have scanned the FS + Docker image

pipeline {
    agent any
    tools {
        maven 'maven3'
          } 
    stages {
        stage('Git CheckOut') {
            steps {
                git branch: 'main', url: 'https://github.com/mrbalraj007/Boardgame.git'
            }
        }
    stage('Compile and Test') {
            steps {
                sh 'mvn test'
            }
        } 
    stage('Trivy FS Scan') {
            steps {
                sh 'trivy fs --format table -o trivy-fsreport.html .'
            }
        }
    stage('Trivy image Scan') {
            steps {
                sh 'trivy image --format table -o trivy-image-report.html sonarqube:lts-community'
            }
        }
    }
}

Pipeline Status:

Workspace:

trivy