Containerization is one of the modern practices being used increasingly by software development teams as the DevOps culture continues to grow in popularity. Most of these environments benefit from the rich features provided by containerization such as scalability, portability, and process isolation.
However, it is essential to consider "how secure" a software is before shipping it to your clients. When creating container images as your releases, the heavy use of third-party and outdated libraries means you run the risk of introducing added vulnerabilities to the images you ship. As such, there is a need for a reliable way of scanning container images. This is where Trivy comes in handy.
Table of Contents
- What is Trivy?
- Is Trivy free?
- How to integrate Trivy into an existing GitLab CI pipeline
- Bonus tip - scan images of a Kubernetes resource with Trivy
What is Trivy?
Trivy is an easy-to-use, fast, and comprehensive open-source tool used by DevOps and security teams for vulnerability and infrastructure as code (IaC) scanning of containers and artifacts. Maintained by Aquasecurity, Trivy:
- Works with containers, file systems, or even git repositories.
- Is easy to install with no prerequisites, such as the installation of a database.
- Is fast to run because there is no database involved.
- Fits the DevSecOps methodology as it can be integrated into CI systems (Circle CI, Jenkins, GitLab CI, or GitHub Actions).
Find out more about the different Operating Systems and Application Dependencies that Trivy can scan here:
Is Trivy Free?
Yes, Trivy is 100% free since it is an open-source project. Aqua, the team behind Trivy, is committed to ensuring that this project remains open-source since it guarantees the maintenance of high-quality code and participation in other open-source projects.
How to Integrate Trivy into an Existing GitLab CI Pipeline
There are two approaches to integrating the Trivy scanner into GitLab CI. Firstly, GitLab's CI offers a security scanner integration based on Trivy if you host your containers with GitLab’s Container Registry. This is probably the easiest solution to integrate Trivy into a CI Pipeline. You can find more information with this link: https://docs.gitlab.com/ee/user/application_security/container_scanning/.
On the other hand, If you are using another container registry, in our case Google Container Registry, things will work a bit differently but won't be a big challenge to accomplish.
Please note that for this blog post, we cover integrating Trivy into an existing GitLab CI pipeline using Google Container Registry. However, we recommend using Google Artifact Registry, which is the current offering for storing, managing, and securing your build artifacts on Google Cloud.
The link to the repository used:
We ran the building stage and performed a quick vulnerability scan with Trivy Standalone before pushing the image to our container registry.
Setting Up a Service Account on GCP
For Trivy to scan from a private container registry such as GCR, you must create a service account with read permissions on the container registry.
Below are the instructions you need to create the required permissions:
Once you create the service account, you need to create a key in .json:
We used the same key to pull/build, push and run the scanning job from Trivy.
Export that key so you can use it as a variable on GitLab CI:
From the repository, navigate to the Settings > CI/CD > Variables:
Create a new variable and paste your key from the xclip command.
Modifying .gitlab-ci.yml to Integrate the Scan Job by Trivy
Right before we push our image, this is where we will be running Trivy to perform a quick scan for potential vulnerability. If there's a vulnerability with a severity marked as Critical, we want the pipeline to fail so we can fix this issue:
- --no-progress suppresses the progress bar generated to keep the terminal quiet;
- --ignore-unfixed by default, Trivy detects unpatched/unfixed vulnerabilities. This means you can't fix these vulnerabilities even if you update all packages;
- --severity allows you to set more filters and only show High or Critical vulnerabilities;
- --exit-code when set to 1, this will allow the entire pipeline to fail if it finds a critical vulnerability;
- .trivyignore not used our case, but if you believe that a vulnerability should be ignored.
Viewing Reports from Trivy
Your pipeline is now running. Trivy can now scan the container image that you are about to push to GCR.
The pipeline has failed, let's review the GitLab Runner:
This is the expected behavior with the flag --exit code 1 that we set if it finds a Critical vulnerability.
Bonus Tip - Scan images of a Kubernetes Resource with Trivy
A plugin that is great to use is trivy-plugin-kubectl, which allows you to scan a pod/job or deployment on your Kubernetes.
Running a security scanner for container images isn't something you only want to do when you're about to merge your changes to Production. The best practice is to run it on a featured branch, so you have time to fix any potential security issues you might have with your build. It is part of the DevSecOps methodology covered in our blog post, and we believe it will be resourceful for DevOps and security teams.
You may also be interested in:
More cost-effective than hiring in-house, with Nearshore Boost, our nearshore software development service, you can ensure your business stays competitive with an expanded team and a bigger global presence, you can be flexible as you respond to your customers’ needs.
Learn more about our services by booking a free consultation with us today!