Integrate security into CI/CD with the Trivy scanner

Nancy J. Delong

Assaults on cloud-native infrastructures are on the increase. Study around a six-month interval in 2021 reveals a 26% boost in assaults on container environments around the earlier six months. Malicious actors are targeting the car-create course of action, packing the payloads, employing rootkits, and compromising misconfigured APIs—often within just considerably less than an hour from set up.

Automating vulnerability scanning into enhancement procedures can cut down the chance of thriving assaults and aid safeguard containerized workloads. 1 of the leading instruments that allows this is Aqua Security’s Trivy, an straightforward-to-use open supply vulnerability scanner that aids groups “shift left” to integrate security into the create pipeline. 

Because its inception just a couple many years in the past, Trivy has obtained popular recognition and wide assistance for its very simple tactic and complete vulnerability monitoring across equally OS deals and language-unique dependencies. The Cloud Native Computing Foundation’s end user community chosen Trivy as a top devsecops device for the 2021 CNCF Close User Engineering Radar. Trivy has been adopted by a lot of leading cloud-native platforms and software suppliers, including Litmus, Kyverno, Istio, and ExternalDNS it is the default scanner for Harbor, GitLab, and Artifact Hub and Microsoft Azure Defender’s CI/CD scanning is powered by Trivy.

Trivy has advanced a good deal considering that its creation, and our emphasis on simplicity and performance tends to make it a significant device within just any developer’s toolkit. In this article, I’d like to wander you as a result of how Trivy integrates security into the create course of action, share some latest developments, and demonstrate how Trivy matches into the broader Aqua Protection open supply ecosystem for securing the full life cycle of cloud-native applications. 

How Trivy works

The cloud-native security journey begins with gaining visibility into vulnerabilities that exist in code. Determining and mitigating concerns in the enhancement stage cuts down the assault area and removes risk. For cloud-native applications, this will involve scanning illustrations or photos and functions as they are becoming created, to detect concerns early and allow for for brief remediation, as effectively as continuously scanning registries to account for newly found out vulnerabilities.

Trivy allows devops groups to set up and start off scanning as quickly as enhancement demands. Deployment and integration into the CI/CD pipeline is as very simple as downloading and setting up the binary. Trivy can be built-in into CI instruments, this sort of as Travis CI, CircleCI, and GitLab CI. Trivy can be set to fall short the task operate if a vulnerability is discovered. Trivy is also readily available as a GitHub Motion, which allows straightforward integration with GitHub code scanning. Builders can create container picture scanning into their GitHub Actions workflow to come across and eradicate vulnerabilities prior to they attain manufacturing.

aqua trivy yaml example Aqua Protection
aqua trivy code scan Aqua Protection

Contrary to other open supply scanners, Trivy presents complete visibility across running procedure deals and programming language deals. It fetches vulnerability knowledge speedier than substitute instruments, so scanning requires seconds, and significant CVEs can be filtered right in the command line. 

aqual trivy usage Aqua Protection

Trivy has a compact database, with car-update capabilities that do not demand exterior middleware or database dependencies. Trivy will quickly retain the database up-to-date by downloading the latest pre-created model from GitHub. This allows the device to be very quickly and successful. The device presents final results for fixed and unfixed vulnerabilities, and very low wrong positives for running programs this sort of as Alpine Linux.

New Trivy developments

Trivy was produced with a sturdy emphasis on usability, efficiency, and efficacy, and the developments made around the earlier couple many years have supported these foundational ideas. We’ve extra capabilities that aid devops groups and their procedures, even though making certain that the device remains highly effective and straightforward to use. 

In addition to container picture scanning, Trivy now supports scanning for file programs and Git repositories. These capabilities aid to boost container security best practices, this sort of as protecting a set of base illustrations or photos that are effectively-managed and safe. As an illustration, Aqua Protection lately pulled a sample of formal Docker illustrations or photos employing the Docker Hub API and then scanned these illustrations or photos for vulnerabilities. We discovered that a lot of illustrations or photos were jogging unsupported running programs, including more mature variations of Debian or Alpine, and that in some circumstances, the formal illustrations or photos were no extended supported. 

aqua trivy docker django Aqua Protection

We also discovered illustrations or photos with huge quantities of unpatched vulnerabilities but no official deprecation information and facts. This incorporates Nuxeo (186), Backdrop (173), Kaazing Gateway (ninety five), and CentOS (86). The very last of these, CentOS, experienced been downloaded a lot more than seven million instances in between July 29 and August 10, 2021. Having an effective scanner like Trivy can be certain that enhancement groups are employing effectively-managed and safe base illustrations or photos, lowering the risk of exploitation.

Trivy now also works as a customer and server. These features are straightforward to set up and start off employing. An formal Helm chart is supplied, so that the Trivy server can be installed in a Kubernetes cluster, and Redis is supported as a cache back end for scale.

Our most latest addition is the potential to scan configuration files of infrastructure-as-code (IaC) instruments this sort of as Kubernetes, Docker, and Terraform, to detect misconfigurations. Trivy can parse normally utilised cloud-native formats and then utilize a set of guidelines that encode superior security practices. This allows for brief identification of probable security concerns and alternatives for hardening software artifacts, this sort of as Dockerfiles and Kubernetes manifests.

Terraform scanning leverages the exceptional ruleset from the Tfsec task, which lately joined the Aqua open supply software ecosystem. There are sets of checks masking the 3 important cloud suppliers, and it is probable to use the Tfsec rulebase in a number of places, encouraging to be certain regular policy software as a result of the enhancement course of action.

Long run Trivy enhancements will increase IaC scanning assistance for Ansible, CloudFormation, and Helm. Other updates will increase Trivy assistance for the lately produced AlmaLinux, Rocky Linux, and other new running programs, furthermore extend assistance for programming languages and introduce assistance for software invoice of material (SBOM). 

An open supply ecosystem for cloud-native security

Trivy is part of Aqua’s portfolio of open supply cloud-native security initiatives. We see open supply as a way to democratize security and also educate engineering, security, and devops groups as a result of accessible instruments, lowering the abilities gap and automating security controls into cloud-native pipelines effectively prior to applications go into manufacturing. Our other open supply initiatives incorporate:

  • Tracee: Detects suspicious behaviors at runtime employing eBPF tracing and analysis-driven behavioral signatures.
  • Tfsec: Offers Terraform scanning with a operate-everywhere design that guarantees that vulnerabilities are recognized prior to deployment, regardless of complexity.
  • Starboard: A Kubernetes-native security toolkit for scanning illustrations or photos utilised by workloads in a Kubernetes cluster.
  • Kube-bench: Winner of a 2018 InfoWorld Bossie Award, Kube-bench quickly establishes irrespective of whether Kubernetes is configured according to tips in the CIS Kubernetes benchmark.
  • Kube-hunter: A penetration screening device that searches for weaknesses in Kubernetes clusters, so directors, operators, and security groups can establish and deal with any concerns prior to attackers are capable to exploit them.
  • CloudSploit: Offers cloud security posture management (CSPM), assessing cloud account and assistance configurations against security best practices.
  • Appshield: A collection of policies for detecting misconfigurations, especially security concerns, in configuration files and infrastructure-as-code definitions.

These initiatives combine with Aqua’s Cloud Native Application Defense Platform and with a lot of normally utilised devops ecosystem instruments to aid generate speedier adoption of cloud-native technologies and procedures, even though protecting security. They are supported by Aqua’s open supply group, which operates individually from commercial engineering. We think this allows us to sustain our motivation to supplying very long-time period assistance, creating in-demand features with significant-top quality code, and constantly contributing to other initiatives within just the open supply community. 

Teppei Fukuda is an open supply software engineer at Aqua Protection.

New Tech Discussion board presents a venue to discover and explore emerging organization engineering in unprecedented depth and breadth. The choice is subjective, based on our decide on of the technologies we think to be essential and of biggest interest to InfoWorld readers. InfoWorld does not take promoting collateral for publication and reserves the appropriate to edit all contributed articles. Ship all inquiries to [email protected]

Copyright © 2021 IDG Communications, Inc.

Next Post

Overcomplicated cloud solutions are making the skills shortage worse

The cloud answer crew has an architect who has developed the concentrate on cloud answer or the collection and configuration of the different kinds of cloud technology—hopefully, even though holding the organization prerequisites in head. Unfortunately, in quite a few circumstances, the answer appears like a who’s who of hyped […]