# [Trivy](https://github.com/aquasecurity/trivy) ### Overview: Scanner for vulnerabilities in **container images**, **file systems**, and **Git repositories**, as well as for _**configuration issues**_ and _**hard-coded secrets**_ ## Trivy detects 2 types of security issues: ### [1. Vulnerabilities Scanning](https://aquasecurity.github.io/trivy/v0.28.0/imgs/vulnerability.png) | Scanning [Data Sources](https://aquasecurity.github.io/trivy/v0.28.0/docs/vulnerability/detection/data-source/) - [OS packages](https://aquasecurity.github.io/trivy/v0.28.0/docs/vulnerability/detection/os/) - [Language-specific packages](https://aquasecurity.github.io/trivy/v0.28.0/docs/vulnerability/detection/language/) ### [2. Misconfiguration Scanning](https://aquasecurity.github.io/trivy/v0.28.0/imgs/misconf.png) In addition we can write our own policies in [Rego\(OPA’s native query language)](https://www.openpolicyagent.org/docs/latest/policy-language/) to scan JSON, YAML, etc, like [Conftest](https://github.com/open-policy-agent/conftest/). - Kubernetes - Docker - Terraform - CloudFormation ## Trivy scans 4 different artifacts: Demo 5 mins - **Container Images**: _It supports_: Demo 1 mins ```shell= A local image in Docker Engine which is running as a daemon A local image in Podman (>=2.0) which is exposing a socket A remote image in Docker Registry such as Docker Hub, ECR, GCR and ACR A tar archive stored in the docker save / podman save formatted file An image directory compliant with OCI Image Format ``` - [**Filesystem**](https://aquasecurity.github.io/trivy/v0.28.0/docs/vulnerability/scanning/filesystem/): _Demo #2: 1 mins_ - Standalone Mode: - Can scan single file - Can scan project \(based on Gemfile.lock and package-lock.json) - Client/Server Mode - [**Rootfs**](https://aquasecurity.github.io/trivy/v0.28.0/docs/vulnerability/scanning/rootfs/): _Demo #3: 2 mins_ - Similar to fs but can use - Use case: Scan your container from inside the container - [**Git Repositories**](https://aquasecurity.github.io/trivy/v0.28.0/docs/vulnerability/scanning/git-repository/): _Demo #4: 1 mins_ - GitHub - GitLab ## Misconfiguration: Demo 2 mins IaC\(Infrastructure as Code) files such as Terraform, CloudFormation, Kubernetes, and Dockerfile - Backed via Policies: Written in Rego & Go - Source of truth: [defsec repository](https://github.com/aquasecurity/defsec) | Config type | Source | |---------------------------|----------------------| | Kubernetes | [defsec kubernetes](https://github.com/aquasecurity/defsec/tree/master/internal/rules/kubernetes) | | Dockerfile, Containerfile | [defsec docker](https://github.com/aquasecurity/appshield/tree/master/internal/rules/docker) | | Terraform | [defsec defsec](https://github.com/aquasecurity/defsec) | | CloudFormation | [defsec defsec](https://github.com/aquasecurity/defsec) | | Ansible | [Coming soon](https://github.com/aquasecurity/defsec) | - Misconfiguration detection is not enabled by default in `image`, `fs` and `repo` subcommands. ### Kubernetes: Demo 1 mins - CLI - Operator like ### SOBM \(Software Bill of Materials): Demo 2 mins Trivy currently supports the following SBOM formats. - [CycloneDX](https://cyclonedx.org/): JSON only currently not XML - [SPDX](https://spdx.dev/wp-content/uploads/sites/41/2020/08/SPDX-specification-2-2.pdf) \(Software Package Data Exchange): SPDX-JSON also supported ### Secrets - AWS access key - GCP service account - GitHub personal access token - GitLab personal access token - Slack access token ### DevSecOps Suitable for CI such as CircleCI, Travis CI, Jenkins, GitLab CI, etc. - [Trivy Github Action](https://github.com/aquasecurity/trivy-action) - Microsoft Azure team have written a [container-scan action](https://github.com/Azure/container-scan) that uses Trivy and Dockle - [Bitbucket Pipe](https://github.com/aquasecurity/trivy-pipe) for running Trivy in a Pipeline - [AWS CodePipeline](https://aws.amazon.com/blogs/containers/scanning-images-with-trivy-in-an-aws-codepipeline/) - [AWS Security Hub](https://aws.amazon.com/blogs/security/how-to-build-ci-cd-pipeline-container-vulnerability-scanning-trivy-and-aws-security-hub/) ### Community Stats: ```shell= Commits: 875 Starts: 11.9k Fork: 1.1k Watchers: 125 PR - Closed: 906 - Open: 34 Issues - Closed: 877 - Open: 194 ``` #### Extras: - Replacement of [microscanner](https://github.com/aquasecurity/microscanner) - [Comparison](https://aquasecurity.github.io/trivy/v0.17.0/comparison/) > Date: 20-May-2022