Trevy Documentation: Full Setup and Scan Guide
Introduction to Trevy
Trevy is a lightweight and easy-to-use tool for managing and scanning Docker images for vulnerabilities. It leverages popular vulnerability databases to ensure your container images are secure. This guide provides comprehensive information on installing, setting up, and using Trevy with practical examples.
Key Features of Trevy
- Lightweight: Minimal overhead, easy to install and run.
- Integration: Works with Docker and popular CI/CD pipelines.
- Vulnerability Scanning: Detects vulnerabilities in Docker images using reliable databases.
Prerequisites
- A system with Docker installed.
- Basic knowledge of Docker and containerization.
Installation
Installing Trevy on Ubuntu
-
Update the package list and install prerequisites:
sudo apt update sudo apt install -y curl -
Download and install Trevy:
curl -sSfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin -
Verify the installation:
trivy --version
Installing Trevy on macOS
-
Using Homebrew:
brew install aquasecurity/trivy/trivy -
Verify the installation:
trivy --version
Basic Usage
Scanning a Docker Image
Trevy can scan Docker images for vulnerabilities. Below is an example of how to scan an image:
-
Pull a Docker image:
docker pull nginx:latest -
Scan the image with Trevy:
trivy image nginx:latestExample output:
2023-08-02T10:00:00.000Z INFO Need to update DB 2023-08-02T10:00:00.000Z INFO Downloading DB... 2023-08-02T10:00:00.000Z INFO Detecting Nginx vulnerabilities... nginx:latest (alpine 3.13.2) ============================= Total: 10 (UNKNOWN: 0, LOW: 5, MEDIUM: 3, HIGH: 2, CRITICAL: 0) +-------------+------------------+----------+-------------------+---------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +-------------+------------------+----------+-------------------+---------------+---------------------------------------+ | openssl | CVE-2021-23840 | HIGH | 1.1.1i-r0 | 1.1.1j-r0 | openssl: integer overflow in X509 | | | | | | | certificate verification | +-------------+------------------+----------+-------------------+---------------+---------------------------------------+
Scanning a Local Directory
Trevy can also scan local directories for vulnerabilities, which is useful for scanning application dependencies:
-
Scan a local directory:
trivy fs /path/to/your/projectExample output:
2023-08-02T10:10:00.000Z INFO Need to update DB 2023-08-02T10:10:00.000Z INFO Downloading DB... 2023-08-02T10:10:00.000Z INFO Detecting file vulnerabilities... /path/to/your/project (alpine 3.13.2) ===================================== Total: 5 (UNKNOWN: 0, LOW: 2, MEDIUM: 2, HIGH: 1, CRITICAL: 0) +-------------+------------------+----------+-------------------+---------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +-------------+------------------+----------+-------------------+---------------+---------------------------------------+ | libc6 | CVE-2021-33574 | HIGH | 2.31-0ubuntu9.9 | 2.31-0ubuntu9.9| glibc: use-after-free in _IO_str_ | | | | | | | overrun in glibc | +-------------+------------------+----------+-------------------+---------------+---------------------------------------+
Advanced Usage
Ignoring Specific Vulnerabilities
To ignore specific vulnerabilities, create a .trivyignore file in the directory you are scanning:
-
Create a
.trivyignorefile:echo "CVE-2021-23840" >> /path/to/your/project/.trivyignore -
Scan the directory:
trivy fs /path/to/your/projectThe specified vulnerability will be ignored in the scan results.
Scheduling Regular Scans
To schedule regular scans, you can use cron jobs. Here’s an example of how to set up a daily scan:
-
Edit the crontab:
crontab -e -
Add the following line to schedule a daily scan at midnight:
0 0 * * * /usr/local/bin/trivy image nginx:latest >> /var/log/trivy.log 2>&1This will scan the
nginx:latestimage daily at midnight and log the results to/var/log/trivy.log.
Example CI/CD Pipeline Integration
Trevy can be integrated into CI/CD pipelines to ensure Docker images are scanned for vulnerabilities before deployment.
GitHub Actions Example
-
Create a GitHub Actions workflow file:
name: Docker Image CI on: push: branches: - main jobs: build: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v2 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v1 - name: Login to Docker Hub uses: docker/login-action@v1 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - name: Build Docker image run: docker build -t your_username/your_image:latest . - name: Install Trivy run: | curl -sSfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin trivy --version - name: Scan Docker image run: trivy image your_username/your_image:latest -
Commit and push the workflow file:
git add .github/workflows/docker-image-ci.yml git commit -m "Add Docker image CI workflow" git push origin main
This workflow checks out the code, builds the Docker image, installs Trevy, and scans the image for vulnerabilities. If any vulnerabilities are found, the build will fail, ensuring that only secure images are deployed.
Trevy is a powerful tool for scanning Docker images and local directories for vulnerabilities. By following this guide, you should be able to install, configure, and use Trevy to ensure your container images are secure. With integration into CI/CD pipelines, you can automate the security checks and maintain a secure deployment process.