Documentation Index
Fetch the complete documentation index at: https://docs.ahmadraza.in/llms.txt
Use this file to discover all available pages before exploring further.
Trevy Documentation: Full Setup and Scan Guide
Introduction to Trevy
Trevy is a lightweight and easy-to-use tool for managing and scanning Docker images for vulnerabilities. It leverages popular vulnerability databases to ensure your container images are secure. This guide provides comprehensive information on installing, setting up, and using Trevy with practical examples.
Key Features of Trevy
- Lightweight: Minimal overhead, easy to install and run.
- Integration: Works with Docker and popular CI/CD pipelines.
- Vulnerability Scanning: Detects vulnerabilities in Docker images using reliable databases.
Prerequisites
- A system with Docker installed.
- Basic knowledge of Docker and containerization.
Installation
Installing Trevy on Ubuntu
-
Update the package list and install prerequisites:
sudo apt update
sudo apt install -y curl
-
Download and install Trevy:
curl -sSfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin
-
Verify the installation:
Installing Trevy on macOS
-
Using Homebrew:
brew install aquasecurity/trivy/trivy
-
Verify the installation:
Basic Usage
Scanning a Docker Image
Trevy can scan Docker images for vulnerabilities. Below is an example of how to scan an image:
-
Pull a Docker image:
-
Scan the image with Trevy:
Example output:
2023-08-02T10:00:00.000Z INFO Need to update DB
2023-08-02T10:00:00.000Z INFO Downloading DB...
2023-08-02T10:00:00.000Z INFO Detecting Nginx vulnerabilities...
nginx:latest (alpine 3.13.2)
=============================
Total: 10 (UNKNOWN: 0, LOW: 5, MEDIUM: 3, HIGH: 2, CRITICAL: 0)
+-------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-------------+------------------+----------+-------------------+---------------+---------------------------------------+
| openssl | CVE-2021-23840 | HIGH | 1.1.1i-r0 | 1.1.1j-r0 | openssl: integer overflow in X509 |
| | | | | | certificate verification |
+-------------+------------------+----------+-------------------+---------------+---------------------------------------+
Scanning a Local Directory
Trevy can also scan local directories for vulnerabilities, which is useful for scanning application dependencies:
-
Scan a local directory:
trivy fs /path/to/your/project
2023-08-02T10:10:00.000Z INFO Need to update DB
2023-08-02T10:10:00.000Z INFO Downloading DB...
2023-08-02T10:10:00.000Z INFO Detecting file vulnerabilities...
/path/to/your/project (alpine 3.13.2)
=====================================
Total: 5 (UNKNOWN: 0, LOW: 2, MEDIUM: 2, HIGH: 1, CRITICAL: 0)
+-------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libc6 | CVE-2021-33574 | HIGH | 2.31-0ubuntu9.9 | 2.31-0ubuntu9.9| glibc: use-after-free in _IO_str_ |
| | | | | | overrun in glibc |
+-------------+------------------+----------+-------------------+---------------+---------------------------------------+
Advanced Usage
Ignoring Specific Vulnerabilities
To ignore specific vulnerabilities, create a .trivyignore file in the directory you are scanning:
-
Create a
.trivyignore file:
echo "CVE-2021-23840" >> /path/to/your/project/.trivyignore
-
Scan the directory:
trivy fs /path/to/your/project
Scheduling Regular Scans
To schedule regular scans, you can use cron jobs. Here’s an example of how to set up a daily scan:
-
Edit the crontab:
-
Add the following line to schedule a daily scan at midnight:
0 0 * * * /usr/local/bin/trivy image nginx:latest >> /var/log/trivy.log 2>&1
nginx:latest image daily at midnight and log the results to /var/log/trivy.log.
Example CI/CD Pipeline Integration
Trevy can be integrated into CI/CD pipelines to ensure Docker images are scanned for vulnerabilities before deployment.
GitHub Actions Example
-
Create a GitHub Actions workflow file:
name: Docker Image CI
on:
push:
branches:
- main
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
- name: Login to Docker Hub
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Build Docker image
run: docker build -t your_username/your_image:latest .
- name: Install Trivy
run: |
curl -sSfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
trivy --version
- name: Scan Docker image
run: trivy image your_username/your_image:latest
-
Commit and push the workflow file:
git add .github/workflows/docker-image-ci.yml
git commit -m "Add Docker image CI workflow"
git push origin main
This workflow checks out the code, builds the Docker image, installs Trevy, and scans the image for vulnerabilities. If any vulnerabilities are found, the build will fail, ensuring that only secure images are deployed.
Trevy is a powerful tool for scanning Docker images and local directories for vulnerabilities. By following this guide, you should be able to install, configure, and use Trevy to ensure your container images are secure. With integration into CI/CD pipelines, you can automate the security checks and maintain a secure deployment process.
