Container security is one of the most important aspects of cybersecurity. In this article, I will introduce you to a tool for checking the security of Docker containers. We'll cover installing and using Trivy.
While there are many tools on the market for checking the safety of containers, this one is by far one of the lightest and most versatile.
Trivy can run on a variety of Linux platforms including RHEL, CentOs, Ubuntu, Debian, Arch Linux, MacOS, Nix, etc. We will be installing and using Bionic Beaver LTS on Ubuntu 18.04.
Checking the security of Docker images with Trivy
After installation, let's start searching and scanning for vulnerabilities.
For example, we want to run an nginx image vulnerability scan:
Checking the security of Docker images with Trivy
And as you can see, there are a lot of vulnerabilities. Now let's try to run the Alpine scan:
Checking the security of Docker images with Trivy
We can also use Trivy to detect incorrect security configurations in the IaC, Dockerfile, and Kubernetes manifest.
The git repository contains a Dockerfile and a deployment.yaml k8s manifest file.
The Dockerfile looks like this:
Note that we started with a base nginx image and set the user to root. However, this is not the best practice. It is not recommended to use the root user to run containers.
The file deployment.yaml looks like this:
In this manifest, we purposefully set the privileged attribute to securityContext value as an experiment true. This, of course, cannot be done.
Now, let's try to run a scan and see if it can find this critical (in terms of security) configuration setting:
Checking the security of Docker images with Trivy
And as you can see, the scanner found this problem in the configuration.
Checking the security of Docker images with Trivy
Aquasecurity Trivy is a Docker image vulnerability scanner. Trivy can scan both the image in the repository and the local image. It aims to find two types of vulnerabilities - OS build problems (supported by Alpine, RedHat (EL), CentOS, Debian GNU, Ubuntu) and dependency problems (Gemfile.lock, Pipfile.lock, composer.lock, package-lock.json, yarn.lock, Cargo.lock).While there are many tools on the market for checking the safety of containers, this one is by far one of the lightest and most versatile.
Trivy can run on a variety of Linux platforms including RHEL, CentOs, Ubuntu, Debian, Arch Linux, MacOS, Nix, etc. We will be installing and using Bionic Beaver LTS on Ubuntu 18.04.
Installing Trivy
There are different ways to install Trivy on different platforms. To install Trivy on Ubuntu, use the following commands:
Code:
$ sudo apt-get install wget apt-transport-https gnupg lsb-release
$ wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
$ echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
$ sudo apt-get update
$ sudo apt-get install trivyChecking the security of Docker images with Trivy
After installation, let's start searching and scanning for vulnerabilities.
Using the Trivy Vulnerability Scanner
To run a Docker image vulnerability scan, use the following command:
Code:
$ trivy image <image>For example, we want to run an nginx image vulnerability scan:
Code:
$ trivy image nginx: latestChecking the security of Docker images with Trivy
And as you can see, there are a lot of vulnerabilities. Now let's try to run the Alpine scan:
Checking the security of Docker images with Trivy
We can also use Trivy to detect incorrect security configurations in the IaC, Dockerfile, and Kubernetes manifest.
Detecting incorrect security settings
You can run checking for incorrect security settings on both the file system and git repositories. Let's try to run a file system scan. To do this, you need to clone this repository:The git repository contains a Dockerfile and a deployment.yaml k8s manifest file.
The Dockerfile looks like this:
Code:
FROM nginx
USER rootNote that we started with a base nginx image and set the user to root. However, this is not the best practice. It is not recommended to use the root user to run containers.
The file deployment.yaml looks like this:
Code:
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
spec:
selector:
matchLabels:
app: nginx
replicas: 1
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
securityContext:
privileged: trueIn this manifest, we purposefully set the privileged attribute to securityContext value as an experiment true. This, of course, cannot be done.
Now, let's try to run a scan and see if it can find this critical (in terms of security) configuration setting:
Code:
$ trivy config <config_directory>Checking the security of Docker images with Trivy
And as you can see, the scanner found this problem in the configuration.
