Skip to main content

Trivy for docker image scanning

 


We have seen a lot of security scanning tools like Blackduck, Fortify, SonarQube etc..

these tool scan source code and the built binaries, it is all well and good I think they do the best job in their respective feature kits. in a industry where we are shipping the solutions in containers bundled with the binaries, it is relevant if we had a tool that could scan the final product.

That is what Trivy an open source project is offering. it is developed by aqua security. I think it is a brilliant little tool that scans for security issues in a docker image for free!!


well what and all it will scan? it scans for operating system libraries that support your application and the application itself. it scans for any misconfigurations, secrets as well. only thing it don't have is a dashboard like sonarqube and blackduck. still it generates text and JSON based reports that can be used to create dashboards in grafana or superset.

  1. Operating System Libraries: Trivy scans the base image and all its layers for known vulnerabilities in operating system libraries and packages. This includes common Linux distributions such as Debian, Alpine, Ubuntu, etc.

  2. Application Dependencies: In addition to OS-level vulnerabilities, Trivy also checks for vulnerabilities in application dependencies. This is crucial as many containerized applications rely on various libraries and frameworks that may have their own security issues.

  3. Misconfigurations: Trivy can detect misconfigurations within the Docker image that may pose security risks. This includes issues such as insecure permissions, exposed sensitive information, or improper configuration of security-related settings.

  4. Secrets: Trivy can help identify accidental inclusion of secrets or sensitive information within the Docker image. This is important for maintaining the confidentiality and integrity of the application and its environment.

I have attached the links to source code and the documentation, if you are looking for a free security scanning tool for your team.


source code: https://github.com/aquasecurity/trivy

Trivy home: https://trivy.dev/


Labels:

Comments

Post a Comment

Popular posts from this blog

AWS CodeBuild Setup (AWS web Console)

AWS CodeBuild is a service provided by AWS for all the project build requirements. it is a module which will be part of AWS CodePipeline service.  This below instructions are aimed for beginners and advance configurations are not covered, users are encouraged to explore while understanding the basics. be aware that for each build you will be billed for the resource you use please check the billing calculator. Step 1: Search for CodeBuild service in AWS web console and click on it. Step 2: select "create build project" for creating new build configuration here you can enter the name for your project and also select the platform which contains your source code you want to build. available options are shown below. sample GitHub connection look something like below picture. Step 3: now we have to setup our environment to be used for our build here we can either choose a AWS managed Docker images or our own images for the build. There are different version of images to select from...
Post a Comment
Read more

Failed attempt of capturing pictures of the Milkyway

Picture of the night I went star gazing  I got a full frame camera, and I wanted to capture milky way. What I initially understood was it is easy to do it if I have a good equipment, I was proven wrong. I have nikon z5 with a zoom kit lens of f4. I traveled to nearest hills where there is less light pollution, the thing is I should have stayed on top of the hill to get good glimpse of the horizon. In southern hemisphere during the time of November milky way rise and set in south west region, we don't get the full view of it.  The failed attempt I stayed in a valley where they grow coffee beans. The other gamble I made was trusting the weather, this year(2024) post monsoon has extended and lot of clouds can be seeing near horizon. One observation I did was early morning before all the fog drops down the sky will be clear like a still pond this will be early 3 to 4 am in the morning. Next time I will try following what others are doing, get a tripod, also possibly a pollution fi...
Post a Comment
Read more