Trivy
Learn how Trivy helps detect vulnerabilities
Introduction
Security is a critical aspect of modern software development, especially in containerized environments. Trivy, an open-source vulnerability scanner developed by Aqua Security, helps detect security issues in container images, file systems, cloud services, and more. With its simple setup and powerful scanning capabilities, Trivy has become a popular choice for DevSecOps teams.
What Can Trivy Scan?
Trivy supports multiple scanning targets, making it a versatile security tool:
- Container Images (Docker, Podman, etc.)
- Filesystem (local and remote files)
- Git Repositories (remote scanning for vulnerabilities in codebases)
- Virtual Machine Images (e.g., AWS AMIs, VMDK, QCOW2)
- Kubernetes Clusters (detects misconfigurations and vulnerabilities in workloads)
- AWS (scans for security issues in cloud resources)
What Security Issues Can Trivy Detect?
Trivy provides multiple types of security scanning:
- Software Bill of Materials (SBOM) - Identifies installed OS packages and dependencies.
- Known Vulnerabilities (CVEs) - Detects security flaws in software packages.
- Infrastructure as Code (IaC) Issues - Checks misconfigurations in Kubernetes, Terraform, and other configurations.
- Sensitive Information & Secrets - Scans for exposed API keys, passwords, and credentials.
- Software Licenses - Ensures compliance with licensing policies.
Severity Levels in Trivy
Trivy determines vulnerability severity using the most accurate available data source. Vendor-specific assessments are prioritized over general databases like NVD. For example, a CVE marked as HIGH in NVD may be categorized as Low by Red Hat based on actual software distribution.
If no vendor-specific severity is available, Trivy uses the CVSS (Common Vulnerability Scoring System) v3.0 ratings:
| Base Score Range | Severity |
|---|---|
| 0.1 - 3.9 | Low |
| 4.0 - 6.9 | Medium |
| 7.0 - 8.9 | High |
| 9.0 - 10.0 | Critical |
Install Script (Official)
For convenience, you can use the install script to download and install Trivy from GitHub Release.
1
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.59.1
Install template
1
mkdir -p /usr/local/share/trivy/templates
1
wget -O /usr/local/share/trivy/templates/html.tpl https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl
Trivy Jenkins Pipeline
To integrate Trivy into a Jenkins pipeline for continuous security scanning, use the following Groovy script:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
pipeline {
agent any
environment {
IMAGE_NAME = 'python'
IMAGE_TAG = '3.4-alpine'
}
stages {
stage('Trivy Vulnerability Scan') {
steps {
script {
// Run Trivy scan on the Docker image
sh """
trivy image \
--exit-code 0 \
--quiet \
--severity HIGH,CRITICAL \
--format template --template "@/usr/local/share/trivy/templates/html.tpl" \
-o trivy-scan.html \
${IMAGE_NAME}:${IMAGE_TAG}
"""
archiveArtifacts artifacts: 'trivy-scan.html', fingerprint: true
}
}
}
}
}
Conclusion
Trivy is a powerful and easy-to-use security scanner that helps detect vulnerabilities across multiple environments. Integrating it into CI/CD pipelines ensures proactive security measures. Whether you’re working with containers, Kubernetes, or cloud infrastructure, Trivy provides essential security insights to keep your systems safe.
Do you use Trivy in your security pipeline? Share your thoughts in the comments!