DEV Community

Josh Kasuboski
Josh Kasuboski

Posted on • Originally published at joshkasuboski.com on

1 1

Container Image Scanning with Trivy

#devops #productivity #kubernetes #docker

I wanted to have some peace of mind when running random container images. Trivy let's me scan them for common vulnerabilities.

Installing Trivy

You can find the Trivy repo on GitHub at aquasecurity/trivy. Installing with Homebrew is just brew install aquasecurity/trivy/trivy. Trivy is written in Golang so you just need to get the binary. They also have a magic script you can use

curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin

Once you have trivy in your $PATH, you can run trivy and see the options. Trivy can do a number of scans: a remote image, local filesystem, or a remote repository.

The various options make it easy to scan code repos, images before they are pushed, and third-party images you want to use.

Scanning an image

I use ArgoCD and had to use an image other than the official one since I wanted multi-arch support. This saved me from having to build it myself which I've done in the past.

I wanted to scan this image for vulnerabilities (the build is open source, but you never really know). With Trivy this is as easy as trivy image alinbalutoiu/argocd:v1.7.1. It will download (and cache) the vulnerability database and then pull and scan the image. It then outputs a nice table of vulnerabilities as seen below. You can also filter by severity and ignore unfixed.

Trivy Results

Next Stop CI

This is great for testing an image ad-hoc, but I want to add this to my gitops repo so that all images are scanned periodically. There is already a Trivy GitHub Action, but I think it's intended more for images you are building.

I also want to run something in my cluster that will periodically check all images that are running. Something like starboard could be the beginning of that.

profile
Heroku
 Promoted

Heroku

Build apps, not infrastructure.

Dealing with servers, hardware, and infrastructure can take up your valuable time. Discover the benefits of Heroku, the PaaS of choice for developers since 2007.

Visit Site

Top comments (1)

Collapse
 
flrichar profile image
Fred Richards

Thanks for this! I was meaning to play more with trivy and this just pushed me over the edge. That's a good thing.

One thing I like to do, is install these type of curl-pipe-shellscript for only my user...

# curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b ~/.local/bin

profile
Heroku
 Promoted

Heroku

Simplify your DevOps and maximize your time.

Since 2007, Heroku has been the go-to platform for developers as it monitors uptime, performance, and infrastructure concerns, allowing you to focus on writing code.

Learn More

Read next

jajera profile image

Terraform Validation Rules: Best Practices & Examples

John Ajera -

jetthoughts-dev profile image

Reviving Defense Technology: Silicon Valley's Next Chapter

JetThoughts Dev -

cloudnative_eng profile image

Getting Started with Kubernetes Gateway API and Traefik

Cloud Native Engineer -

ravenesc profile image

A Media Server on Steroids - Walkthrough

Raven Spencer -

👋 Kindness is contagious

Please leave a ❤️ or a friendly comment on this post if you found it helpful!

Okay