Reinforce the power of your AWS scanning with Trivy

Teracloud
4 min readJul 20, 2023

--

As we already know, AWS counts as a useful tool to scan our images for vulnerabilities when we push them to our registry. On this TeraTip we are going to add an extra security layer: we are going to make use of an open-source tool called Trivy.

Trivy is a comprehensive and versatile security scanner. Trivy has scanners that look for security issues and targets where it can find them.

Targets (what Trivy can scan):

  • Container Image
  • Filesystem
  • Git Repository (remote)
  • Virtual Machine Image
  • Kubernetes
  • AWS

Scanners (what Trivy can find there):

  • OS packages and software dependencies in use (SBOM)
  • Known vulnerabilities (CVEs)
  • IaC issues and misconfigurations
  • Sensitive information and secrets
  • Software licenses

Let us begin with a demo on docker image scanning.

1) Install Trivy. In my case, locally and since Im using a Ubuntu distribution I will proceed with the following:

sudo apt-get install wget apt-transport-https gnupg lsb-release

wget -qO — https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add — echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sourc sudo apt-get update

sudo apt-get install tri

2) Execute a Trivy -v to verify the installation.

3) Now, we can run

trivy image ${our_image_to_scan}For example: trivy image adoptopenjdk/openjdk8:alpine-slim

The output

4) Let’s try another one, run

Trivy image php:8.1.8-alpine

The output

Ok, this looks more dangerous.

5) Fair enough. Now would be helpful to automate these scans to use on our DevSecOps pipelines. Create a file.

touch Trivy-docker-image-scan.sh

With your IDE of choice open the file and paste the following content:

#!/bin/bash
dockerImageName=$(awk 'NR==1 {print $2}' Dockerfile)
echo $dockerImageName

These initial lines are going to grab the docker image from the Dockerfile and echo it to the terminal.

6) We continue editing our script. Trivy command, we are checking for different types of severity on our vulnerabilities. If the exit code of our Trivy image scan is other than CRITICAL we’ll return an exit code of 0 meaning there were no critical vulnerabilities found on the image.

If the exit code is 1, then we are going to know without a doubt that we have critical vulnerabilities in our image.

Trivy image — exit-code 0 — severity MEDIUM, HIGH $dockerImageName

Trivy image — exit-code 1 — severity CRITICAL $dockerImageName

7) The previous step is delightful, but how do we leverage our DevSecOps pipelines with this information?

Here is where we can take action on a building pipeline (or not) depending on our exit codes. Let’s add the bash conditional.

# Trivy scan result processing
exit_code=$?
echo "Exit Code : $exit_code"
# Check scan results
if [[ "${exit_code}" == 1 ]]; then
echo "Image scanning failed. Vulnerabilities found"
exit 1;
else
echo "Image scanning passed. No CRITICAL vulnerabilities found"
fi;
Alright! now we are able to scan our docker images and take action based on the exit code that relies on the vulnerabilities found.
Let's take a look at the final script and how we can implement it on a Jenkins pipeline.
#!/bin/bash
dockerImageName=$(awk 'NR==1 {print $2}' Dockerfile)
trivy image - exit-code 0 - severity MEDIUM,HIGH $dockerImageName
trivy image - exit-code 1 - severity CRITICAL $dockerImageName
# Trivy scan result processing
exit_code=$?
echo "Exit Code : $exit_code"
# Check scan results
if [[ "${exit_code}" == 1 ]]; then
echo "Image scanning failed. Vulnerabilities found"
exit 1;
else
echo "Image scanning passed. No CRITICAL vulnerabilities found"
fi;
Jenkinsfile
#!/bin/bash
pipeline {
agent any
stages {
stage('Trivy Vulnerability Scan - Docker') {
steps {
sh "bash trivy-docker-image-scan.sh"
}
}
}
}

Note:

There are some necessary steps to configure Jenkins, install the required plugins, the dependencies, and so on, but since this is not a Jenkins TeraTip and for briefness purposes, we keep it as simple as possible.

If you want to know more about Cloud Security, we suggest going check What did AWS Re: Invent bring us in terms of Security?

If you’re interested in learning more about our #TeraTips or our blog’s content, we invite you to see all the content entries that we have created for you and your needs.

This article about AWS and Trivy was originally posted on our blog. If you’d like to learn more about Cloud technology, tools, and culture, you can find us at teracloud.io.

References:

https://aquasecurity.github.io/trivy/v0.18.3/examples/others/
https://aquasecurity.github.io/trivy/v0.18.3/installation/#nixnixos
https://www.jenkins.io/doc/book/pipeline/

--

--

Teracloud
Teracloud

Written by Teracloud

Our thoughts on everything Cloud, Expanding knowledge on our expertise and services

No responses yet