 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
Security should be one of the most important aspects of container deployments, especially for enterprise production environments that depend on highly scaled applications and services that will not only see massive demand but that will also interact with other services, servers, APIs, etc.
If you skimp on security, you could leave your company open to hacking. All it takes is one hacker gaining access to a single container and they could wind up with the keys to your kingdom.
You don’t want that.
The thing is security has to start from the ground up, otherwise, everything is susceptible. Think of it this way: You cannot build a house on a foundation with cracks, holes, and other vulnerabilities and expect it to be secure. Eventually, that house could crumble. Containers are the same way. If you build them on a foundation with vulnerabilities, there’s no way they’ll be secure.
In other words, the images you use to deploy your containerized application must be vulnerability free.
How do you know if an image contains vulnerabilities? You scan it. How do you scan a container image for vulnerabilities? With a tool like Trivy, first developed by Aqua Security.
Trivy is a command line tool that scans container images for vulnerabilities. Trivy can scan images, file systems, and even Git Repositories, outputting any and all vulnerabilities contained within. A tool like this should be considered an absolute must for any container developer or business that depends on containerized applications and services.
I’m going to show you how Trivy is installed and used on Ubuntu Server 22.04. Do know, however, that Trivy can be installed on the following platforms:
Let’s get to it.
For this tutorial, you’ll need a running instance of Docker Server 22.04 and a user with sudo privileges. That’s it. Time to get to work.
If you don’t already have Docker installed, let’s do it now.
First, install the necessary dependencies with the command:
sudo apt-get install apt-transport-https ca-certificates curl gnupg lsb-release -y
Next, add the official Docker GPG key with the command:
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
Add the Docker repository with the following command:
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] \n https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
Update apt with:
sudo apt-get update
Install Docker with the command:
sudo apt-get install docker-ce docker-ce-cli containerd.io -y
Next, you must add your user to the docker group with the command:
sudo usermod -aG docker $USER
Log out and log back in for the changes to take effect.
We can now install Trivy. First download and add the Aqua Security GPG key with:
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
Add the Aqua Security repository with the following command:
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
Update apt with:
sudo apt-get update
Install Trivy with the command:
sudo apt-get install trivy -y
Using Trivy is quite simple. First, we’re going to pull down an image to test. For our first test, we’ll pull down the image for python:3.4-alpine. Do this with the command:
docker pull python:3.4-alpine
Once the image has finished being pulled, run Trivy against it with the command:
trivy image python:3.4-alpine
Trivy will immediately go to work and begin outputting any vulnerabilities it finds. As you can see (Figure 1), Trivy found a number of vulnerabilities, including some marked MEDIUM, HIGH, and CRITICAL.
The output will include a vulnerability CVE number and a bit of information about it, as well as a link for even more information and (in some cases) steps to mitigate the issue.
Let’s run another test, this time on the latest Ubuntu image. Pull the image with:
docker pull ubuntu:latest
Run the scan with:
trivy image ubuntu:latest
This time, Trivy only found a handful of vulnerabilities, the highest rank being MEDIUM.
You can always set up Trivy for client/server mode. What this does is use the server to house the vulnerability database (so the client doesn’t have to). You can then run Trivy from a remote client, using the server address to access the cached database. Here’s how it’s done.
On the server, launch Trivy in server mode with the command:
trivy server --listen 0.0.0.0:8080
Next, make sure Trivy is installed on the client as well, pull down an image to scan with docker, and then test it against the vulnerability database on the server with the command:
trivy client --remote http://SERVER:8080 IMAGE
Where SERVER is the IP address of the server and IMAGE is the image you want to scan. For example, the server might be at IP address 192.168.1.151 and the image is ubuntu:latest. The command for that would be:
trivy client --remote http://192.168.1.151:8080 ubuntu:latest
The client will contact the server and scan the image against the cached vulnerability database on the server.
And that’s all there is to scan Docker images for vulnerabilities with the Trivy command. Every time you pull a new image you should immediately scan it for vulnerabilities and act according to the output. By making sure you’re using images without vulnerabilities (especially those marked either HIGH or CRITICAL), you can be sure your container deployments are built on a solid foundation.
