Dependency & Container Security
Container Security with Trivy
3 min read
Containers introduce new attack surfaces: base images, OS packages, and misconfiguration. Trivy is the go-to open-source scanner for container security.
Why Container Security Matters
┌─────────────────────────────────────────┐
│ Your Application │
├─────────────────────────────────────────┤
│ Application Dependencies │ ← SCA (Snyk)
├─────────────────────────────────────────┤
│ OS Packages │ ← Container scan
│ (apt, apk, yum) │
├─────────────────────────────────────────┤
│ Base Image │ ← Container scan
│ (ubuntu:22.04, node:20) │
└─────────────────────────────────────────┘
Container vulnerabilities by layer:
- Base images: 40-60% of vulnerabilities come from outdated base images
- OS packages: Unpatched system libraries
- Application deps: Already covered by SCA
- Misconfigurations: Running as root, exposed secrets
Trivy Overview
| Feature | Description |
|---|---|
| Price | Free and open source |
| Targets | Images, filesystems, git repos, Kubernetes |
| Databases | NVD, Alpine, Debian, Ubuntu, Red Hat, etc. |
| Output | Table, JSON, SARIF, CycloneDX |
| Speed | Very fast (uses local cache) |
Installation
# macOS
brew install trivy
# Linux (Debian/Ubuntu)
sudo apt-get install trivy
# Docker
docker pull aquasec/trivy
Scanning Container Images
# Scan a local image
trivy image my-app:latest
# Scan from registry
trivy image nginx:1.25
# Scan with severity filter
trivy image --severity HIGH,CRITICAL nginx:1.25
# Output as JSON
trivy image --format json -o results.json nginx:1.25
Understanding Trivy Output
nginx:1.25 (debian 12.1)
=========================
Total: 142 (UNKNOWN: 0, LOW: 82, MEDIUM: 43, HIGH: 15, CRITICAL: 2)
┌──────────────┬────────────────┬──────────┬─────────────────────────┐
│ Library │ Vulnerability │ Severity │ Fixed Version │
├──────────────┼────────────────┼──────────┼─────────────────────────┤
│ libssl3 │ CVE-2024-0727 │ CRITICAL │ 3.0.13-1~deb12u1 │
│ openssl │ CVE-2024-0727 │ CRITICAL │ 3.0.13-1~deb12u1 │
│ curl │ CVE-2024-2398 │ HIGH │ 7.88.1-10+deb12u5 │
└──────────────┴────────────────┴──────────┴─────────────────────────┘
CI/CD Integration
GitHub Actions
# .github/workflows/trivy.yml
name: Container Security Scan
on:
push:
branches: [main]
jobs:
trivy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Build image
run: docker build -t my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'my-app:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
Pre-Push Hook
#!/bin/bash
# .git/hooks/pre-push
IMAGE_NAME=$(docker images --format "{{.Repository}}:{{.Tag}}" | head -1)
trivy image --exit-code 1 --severity CRITICAL "$IMAGE_NAME"
Scanning Different Targets
# Scan filesystem (for IaC misconfigurations)
trivy fs --security-checks vuln,config .
# Scan Kubernetes manifests
trivy config ./k8s/
# Scan git repository
trivy repo https://github.com/your-org/your-repo
# Scan running Kubernetes cluster
trivy k8s --report summary cluster
Configuration Scanning
Trivy also finds misconfigurations:
trivy config ./
Dockerfile (dockerfile)
=======================
Tests: 23 (SUCCESSES: 19, FAILURES: 4)
┌──────────────────────────────────────────────────────────┐
│ Failures: 4 │
├──────────────┬──────────┬────────────────────────────────┤
│ Check │ Severity │ Message │
├──────────────┼──────────┼────────────────────────────────┤
│ DS002 │ HIGH │ Running as root user │
│ DS026 │ MEDIUM │ No HEALTHCHECK instruction │
│ DS001 │ LOW │ ':latest' tag used │
└──────────────┴──────────┴────────────────────────────────┘
Ignoring Findings
# .trivyignore
# Ignore specific CVEs
CVE-2024-0727
# Ignore by package
openssl
# Ignore with expiration
CVE-2024-2398 exp:2025-01-01
Next, we'll explore base image hardening and distroless containers. :::