Lead Image © MPower, photocase.com

Trivy security scanner

A Look Inside

Article from ADMIN 74/2023

By Guido Söldner

The Trivy open source tool provides information on container and software security.

Working with containers has become a standard task for administrators, but in addition to plain vanilla container operation, it is also important to take care of security – a task that is sometimes neglected when faced with relatively new container technology. Aqua Security offers the open source Trivy [1] tool, which scans filesystems, Git repositories, and Kubernetes clusters and resources, as well as ensuring container image security. Additionally, the software can find operating system packages and software dependencies (the software bill of materials, SBOM), known security vulnerabilities (CVEs), infrastructure-as-code (IaC) misconfigurations, and sensitive information and passwords.

Installation

Trivy can be installed on all popular Linux distributions and macOS. Alternatively, you can run Trivy as a container. Detailed installation instructions can be found online [1]. Type the commands in Listing 1 to set up the scanner on Debian/Ubuntu.

Listing 1

Installing Trivy

sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO -https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy

Security Scanning

Once the installation is complete, you can start scanning, which I demonstrate with an example of the well-known NGINX image. First, download the image then start the scan:

...

Use Express-Checkout link below to read the full article (PDF).