Skip to main content

Trivy for docker image scanning

 


We have seen a lot of security scanning tools like Blackduck, Fortify, SonarQube etc..

these tool scan source code and the built binaries, it is all well and good I think they do the best job in their respective feature kits. in a industry where we are shipping the solutions in containers bundled with the binaries, it is relevant if we had a tool that could scan the final product.

That is what Trivy an open source project is offering. it is developed by aqua security. I think it is a brilliant little tool that scans for security issues in a docker image for free!!


well what and all it will scan? it scans for operating system libraries that support your application and the application itself. it scans for any misconfigurations, secrets as well. only thing it don't have is a dashboard like sonarqube and blackduck. still it generates text and JSON based reports that can be used to create dashboards in grafana or superset.

  1. Operating System Libraries: Trivy scans the base image and all its layers for known vulnerabilities in operating system libraries and packages. This includes common Linux distributions such as Debian, Alpine, Ubuntu, etc.

  2. Application Dependencies: In addition to OS-level vulnerabilities, Trivy also checks for vulnerabilities in application dependencies. This is crucial as many containerized applications rely on various libraries and frameworks that may have their own security issues.

  3. Misconfigurations: Trivy can detect misconfigurations within the Docker image that may pose security risks. This includes issues such as insecure permissions, exposed sensitive information, or improper configuration of security-related settings.

  4. Secrets: Trivy can help identify accidental inclusion of secrets or sensitive information within the Docker image. This is important for maintaining the confidentiality and integrity of the application and its environment.

I have attached the links to source code and the documentation, if you are looking for a free security scanning tool for your team.


source code: https://github.com/aquasecurity/trivy

Trivy home: https://trivy.dev/


Labels:

Comments

Post a Comment

Popular posts from this blog

Importance of identifying and tracking errors in DevOps

For almost three years I am curious about tracking errors in my daily work, there are lot of tools like Data dog, Splunk, Dynatrace etc... available as observability tools. it would have been easy to use those, rather I though why not build one. There is an advantage for projects that are small to rely on tools that are built around them. Standards set by industries are important, what if certain configuration don't align with general market standards. I think some developers agree with this approach. The idea of tracking error is not new, but the way we categorise them is unique to different environments. the nature of these categories depends on infrastructure used, network topology, development strategy. A tool designed to handle them all might be bit over engineered for the purpose, because I think the value it creates by reducing our efforts in identifying problems is not more valuable than the product itself. Again this is my opinion on projects that are small but needs quali...
Post a Comment
Read more

Failed attempt of capturing pictures of the Milkyway

Picture of the night I went star gazing  I got a full frame camera, and I wanted to capture milky way. What I initially understood was it is easy to do it if I have a good equipment, I was proven wrong. I have nikon z5 with a zoom kit lens of f4. I traveled to nearest hills where there is less light pollution, the thing is I should have stayed on top of the hill to get good glimpse of the horizon. In southern hemisphere during the time of November milky way rise and set in south west region, we don't get the full view of it.  The failed attempt I stayed in a valley where they grow coffee beans. The other gamble I made was trusting the weather, this year(2024) post monsoon has extended and lot of clouds can be seeing near horizon. One observation I did was early morning before all the fog drops down the sky will be clear like a still pond this will be early 3 to 4 am in the morning. Next time I will try following what others are doing, get a tripod, also possibly a pollution fi...
Post a Comment
Read more