DEV Community

Jen C.
Jen C.

Posted on

Detect and fix vulnerabilities (CVE) & misconfigurations (IaC) for your web application

Resources

Trivy

OWASP Web Application Security

Step-by-step guide (identify the problems and fix them on your local computer)

Install Trivy

After installing and running the command, you should see version information similar to the following

trivy --version
Enter fullscreen mode Exit fullscreen mode

Image description

Scan the local projects

Docs Filesystem

Navigate to the target project and run the command

trivy fs  .
Enter fullscreen mode Exit fullscreen mode

Generated report example

Image description

Update, Patch, or Remove Vulnerable Packages

Focus on fixing Critical and High severity vulnerabilities first.

Use package management tools to find out why a package is installed.

For example,

yarn why @babel/traverse
Enter fullscreen mode Exit fullscreen mode

Output

Image description

Note that @babel/traverse exists because @babel/core depends on it. Since our project still requires @babel/core, we upgraded the @babel/core version by executing the command yarn add @babel/core -D, and executed trivy fs . to generate the report again to see if the security issue is resolved.

After upgrading @babel/core, the Critical problem is solved.

Image description

Top comments (0)