Image Vulnerability Scanning with Trivy

Containerization has become a widely adopted technology for developing and deploying applications. However, as containers are built from various layers and dependencies, ensuring the security of container images is crucial. Trivy, open-source vulnerability scanner from Aqua Security, is designed specifically for container images.

Scan Your Docker Image with Trivy #

Let’s now use Trivy to scan the Docker image we created back in the Docker labs. Switch back to your create-dockerfile directory where your original Dockerfile lives.

cd ~/create-dockerfile

Run the docker images command to see if your Docker image is still built locally. If not, build the Docker image again:

docker build --tag random-facts-app:latest --tag random-facts-app:1.0 .

Run docker images again to validate your image is now built locally. You should see an output similar to below:

REPOSITORY         TAG       IMAGE ID       CREATED         SIZE
random-facts-app   1.0       48d46d2c0328   4 seconds ago   71.1MB
random-facts-app   latest    48d46d2c0328   4 seconds ago   71.1MB

Run the following command to scan your Docker image using Trivy:

trivy image random-facts-app

Trivy will build a local database and start scanning the image for vulnerabilities.

Analyze the Scan Results #

Examine the scan summary displayed by Trivy. It provides an overview of the vulnerabilities found, categorized by severity levels such as Critical, High, Medium, and Low.

Scroll through the list of vulnerabilities displayed by Trivy. Each vulnerability entry includes information such as CVE ID, severity, package name, version, and a description of the issue.

Pay attention to the severity levels of the vulnerabilities. Critical and High severity vulnerabilities require immediate attention and remediation.

Leveraging More Secure Base Images with Chainguard #

Chainguard is a startup that focuses on securing software supply chains. They have a wide catalog of secured images. The full list can be viewed here.

We’ll test their base image called Wolfi with Trivy. Pull the Wolfi image from Chainguard locally:

docker pull cgr.dev/chainguard/wolfi-base:latest

Run the same Trivy command above but this time, against the Wolfi image. Notice how there are now 0 vulnerabilities. This is exactly what Chainguard is after and is committed to.

Conclusion #

In this lab, we explored Aqua Security’s Trivy and learned how to build a Docker image and scan it for vulnerabilities using Trivy. By incorporating Trivy into your container image scanning process, you can enhance the security of your containerized applications and mitigate potential vulnerabilities.

BONUS #

Try using Chainguard’s Python image (cgr.dev/chainguard/python) to build your Random Facts application. Push it to your Artifact Registry with the label wolfi and re-deploy the application in your GKE cluster.