BT

InfoQ Homepage News Vulnerability Scanner Trivy Now Available as Integrated Option within Harbor

Vulnerability Scanner Trivy Now Available as Integrated Option within Harbor

Bookmarks

Aqua Security has announced that Trivy, their open source vulnerability scanner, is now available as an integrated option within a number of platforms. Trivy is able to scan for vulnerabilities within operating systems and a number of common application dependencies.

With this announcement, Trivy is now included within Harbor as the default scanner. Harbor is an open source container image registry and is an Incubating project with the CNCF. It is also possible to integrate Trivy with Docker to facilitate scanning Docker images.

Trivy is able to detect vulnerabilities in a number of Linux operating systems including Alpine, RHEL, CentOS, Debian, Ubuntu, SUSE, and Amazon Linux. According to Aqua, Trivy has a high accuracy for detection of vulnerabilities especially with Alpine Linux and RHEL/CentOS. Teppei Fukuda, OSS engineer at Aqua Security, shared an analysis of vulnerabilities detected on a version of Alpine Linux by a number of vulnerability scanners in which Trivy was most successful.

Comparison of vulnerabilities detected within Alpine Linux by a number of vulnerability scanners

Comparison of vulnerabilities detected within Alpine Linux by a number of vulnerability scanners (credit: Trivy)

 

Trivy will also automatically detect the following files within the container and use them to scan for vulnerabilities within any specified application dependencies:

  • gemfile.lock
  • pipfile.lock
  • composer.lock
  • package-lock.json
  • yarn.lock
  • cargo.lock

Running Trivy can be done via the command line or it can be integrated into a CI job. From the command line, this can be accomplished by specifying the image name as follows: trivy <image-name>. Trivy will scan the image and output any detected vulnerabilities:

Output of image scan showing detected vulnerabilities

Output of image scan showing detected vulnerabilities (credit: Trivy)

 

It is possible to integrate Trivy into CI tools such as Travis CI, CircleCI, and GitLab CI. If a vulnerability is found then Trivy can be set to fail the job run. To avoid having the run be failed, the flag --exit-code 0 can be specified. For example, to integrate with Travis CI, the travis.yml file should be updated as follows:

$ cat .travis.yml
services:
  - docker

env:
  global:
    - COMMIT=${TRAVIS_COMMIT::8}

before_install:
  - docker build -t trivy-ci-test:${COMMIT} .
  - export VERSION=$(curl --silent "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
  - wget https://github.com/aquasecurity/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz
  - tar zxvf trivy_${VERSION}_Linux-64bit.tar.gz
script:
  - ./trivy --exit-code 0 --severity HIGH --no-progress trivy-ci-test:${COMMIT}
  - ./trivy --exit-code 1 --severity CRITICAL --no-progress trivy-ci-test:${COMMIT}
cache:
  directories:
    - $HOME/.cache/trivy

Jerry Gamblin, principal security engineer at Kenna Security, found that within the top Docker files "over 20 percent of the files contained at least one vulnerability that would be considered high risk" and that the median number of CVE's was 37. To help with sharing this information, Gamblin created the tool VulnerableContainers.org which pulls the top 1000 most popular Docker Hub containers and scans them for vulnerabilities using Trivy.

Trivy is part of Aqua's portfolio of open source cloud native projects that includes: kube-bench, kube-hunter, tracee, CloudSploit, and kubectl-who-can. Trivy is licensed with the Apache 2 license and is available for download via GitHub.

Editors note: This article was updated on 29th April to correct the list of integrations, based on a request from a Docker representative

Rate this Article

Adoption
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

  • Announcement location

    by Sandromar Ferreira /

    Your message is awaiting moderation. Thank you for participating in the discussion.

    Hi, Matt,

    Could you provide link to the announcement that says:
    "Trivy is now included within Harbor" ?
    Is this part of Harbor 1.10.x ? Or Harbor 2 ?

    Thanks,
    Sandro.

  • Re: Announcement location

    by Matthew Campbell /

    Your message is awaiting moderation. Thank you for participating in the discussion.

    Here you go: goharbor.io/blog/harbor-1.10-release/#vulnerabi.... It was Harbor 1.10x that this was first introduced.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

BT

Is your profile up-to-date? Please take a moment to review and update.

Note: If updating/changing your email, a validation request will be sent

Company name:
Company role:
Company size:
Country/Zone:
State/Province/Region:
You will be sent an email to validate the new email address. This pop-up will close itself in a few moments.