Integrate security into CI/CD with the Trivy scanner

Open source Trivy plugs into the software build process and scans container images and infrastructure-as-code files for vulnerabilities and misconfigurations.

Integrate security into CI/CD with the Trivy scanner
Getty Images

Attacks on cloud-native infrastructures are on the rise. Research over a six-month period in 2021 shows a 26% increase in attacks on container environments over the previous six months. Malicious actors are targeting the auto-build process, packing the payloads, using rootkits, and compromising misconfigured APIs—often within less than an hour from setup.

Automating vulnerability scanning into development processes can reduce the likelihood of successful attacks and help protect containerized workloads. One of the leading tools that enables this is Aqua Security’s Trivy, an easy-to-use open source vulnerability scanner that helps teams “shift left” to incorporate security into the build pipeline. 

Since its inception just a few years ago, Trivy has gained widespread popularity and broad support for its simple approach and comprehensive vulnerability tracking across both OS packages and language-specific dependencies. The Cloud Native Computing Foundation’s end user community selected Trivy as a top devsecops tool for the 2021 CNCF End User Technology Radar. Trivy has been adopted by many leading cloud-native platforms and software providers, including Litmus, Kyverno, Istio, and ExternalDNS; it is the default scanner for Harbor, GitLab, and Artifact Hub; and Microsoft Azure Defender’s CI/CD scanning is powered by Trivy.

Trivy has evolved a great deal since its creation, and our focus on simplicity and effectiveness makes it a critical tool within any developer’s toolkit. In this article, I’d like to walk you through how Trivy integrates security into the build process, share some recent advancements, and explain how Trivy fits into the broader Aqua Security open source ecosystem for securing the full life cycle of cloud-native applications. 

How Trivy works

The cloud-native security journey begins with gaining visibility into vulnerabilities that exist in code. Identifying and mitigating issues in the development stage reduces the attack surface and eliminates risk. For cloud-native applications, this involves scanning images and functions as they are being built, to detect issues early and allow for quick remediation, as well as continuously scanning registries to account for newly discovered vulnerabilities.

Trivy enables devops teams to set up and start scanning as fast as development requires. Deployment and integration into the CI/CD pipeline is as simple as downloading and installing the binary. Trivy can be integrated into CI tools, such as Travis CI, CircleCI, and GitLab CI. Trivy can be set to fail the job run if a vulnerability is found. Trivy is also available as a GitHub Action, which enables easy integration with GitHub code scanning. Developers can build container image scanning into their GitHub Actions workflow to find and eliminate vulnerabilities before they reach production.

aqua trivy yaml example Aqua Security
aqua trivy code scan Aqua Security

Unlike other open source scanners, Trivy provides comprehensive visibility across operating system packages and programming language packages. It fetches vulnerability data faster than alternative tools, so scanning takes seconds, and critical CVEs can be filtered directly in the command line. 

aqual trivy usage Aqua Security

Trivy has a compact database, with auto-update capabilities that do not require external middleware or database dependencies. Trivy will automatically keep the database up-to-date by downloading the latest pre-built version from GitHub. This enables the tool to be extremely fast and efficient. The tool provides results for fixed and unfixed vulnerabilities, and low false positives for operating systems such as Alpine Linux.

Recent Trivy advancements

Trivy was developed with a strong emphasis on usability, performance, and efficacy, and the advancements made over the past few years have supported these foundational principles. We’ve added capabilities that aid devops teams and their processes, while ensuring that the tool remains highly effective and easy to use. 

In addition to container image scanning, Trivy now supports scanning for file systems and Git repositories. These capabilities help to reinforce container security best practices, such as maintaining a set of base images that are well-maintained and secure. As an example, Aqua Security recently pulled a sample of official Docker images using the Docker Hub API and then scanned those images for vulnerabilities. We found that many images were running unsupported operating systems, including older versions of Debian or Alpine, and that in some cases, the official images were no longer supported. 

aqua trivy docker django Aqua Security

We also found images with large numbers of unpatched vulnerabilities but no formal deprecation information. This includes Nuxeo (186), Backdrop (173), Kaazing Gateway (95), and CentOS (86). The last of these, CentOS, had been downloaded more than seven million times between July 29 and August 10, 2021. Having an effective scanner like Trivy can ensure that development teams are using well-maintained and secure base images, reducing the risk of exploitation.

Trivy now also works as a client and server. These features are easy to set up and start using. An official Helm chart is provided, so that the Trivy server can be installed in a Kubernetes cluster, and Redis is supported as a cache back end for scale.

Our most recent addition is the ability to scan configuration files of infrastructure-as-code (IaC) tools such as Kubernetes, Docker, and Terraform, to detect misconfigurations. Trivy can parse commonly used cloud-native formats and then apply a set of rules that encode good security practices. This allows for quick identification of possible security issues and opportunities for hardening application artifacts, such as Dockerfiles and Kubernetes manifests.

Terraform scanning leverages the excellent ruleset from the Tfsec project, which recently joined the Aqua open source software ecosystem. There are sets of checks covering the three major cloud providers, and it’s possible to use the Tfsec rulebase in multiple locations, helping to ensure consistent policy application through the development process.

Future Trivy enhancements will add IaC scanning support for Ansible, CloudFormation, and Helm. Other updates will add Trivy support for the recently released AlmaLinux, Rocky Linux, and other new operating systems, plus expand support for programming languages and introduce support for software bill of material (SBOM). 

An open source ecosystem for cloud-native security

Trivy is part of Aqua’s portfolio of open source cloud-native security projects. We see open source as a way to democratize security and also educate engineering, security, and devops teams through accessible tools, reducing the skills gap and automating security controls into cloud-native pipelines well before applications go into production. Our other open source projects include:

  • Tracee: Detects suspicious behaviors at runtime using eBPF tracing and research-driven behavioral signatures.
  • Tfsec: Provides Terraform scanning with a run-anywhere design that ensures that vulnerabilities are identified before deployment, regardless of complexity.
  • Starboard: A Kubernetes-native security toolkit for scanning images used by workloads in a Kubernetes cluster.
  • Kube-bench: Winner of a 2018 InfoWorld Bossie Award, Kube-bench automatically determines whether Kubernetes is configured according to recommendations in the CIS Kubernetes benchmark.
  • Kube-hunter: A penetration testing tool that searches for weaknesses in Kubernetes clusters, so administrators, operators, and security teams can identify and address any issues before attackers are able to exploit them.
  • CloudSploit: Provides cloud security posture management (CSPM), evaluating cloud account and service configurations against security best practices.
  • Appshield: A collection of policies for detecting misconfigurations, specifically security issues, in configuration files and infrastructure-as-code definitions.

These projects integrate with Aqua’s Cloud Native Application Protection Platform and with many commonly used devops ecosystem tools to help drive faster adoption of cloud-native technologies and processes, while maintaining security. They are supported by Aqua’s open source team, which operates separately from commercial engineering. We believe this allows us to sustain our commitment to providing long-term support, creating in-demand features with high-quality code, and continually contributing to other projects within the open source community. 

Teppei Fukuda is an open source software engineer at Aqua Security.

New Tech Forum provides a venue to explore and discuss emerging enterprise technology in unprecedented depth and breadth. The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content. Send all inquiries to newtechforum@infoworld.com.

Copyright © 2021 IDG Communications, Inc.

How to choose a low-code development platform