Post

CKS Trivy and Clair - Vulnerability Scanner for Containers and other Artifacts

Using Trivy and Clair to scan container images for vulnerabilities, including installation, usage examples, and scanning deployments for specific CVEs.

Posted Updated
Preview Image
By Jan Toth
2 min read

Image Image Image

There are Clair and Trivy
  1. trivy (run one command - very convenient)
    • open source
    • easy to run
  2. clair
    • open source
    • static analysis of vulnerabilities in application containers
    • ingest vulnerability metadata from a configured set of sources
    • provides API
How to install trivy

Download the Trivy binary from GitHub releases, extract it, and move it to your PATH. After installation, running trivy without arguments displays the help menu.

1
2
3
4

wget https://github.com/aquasecurity/trivy/releases/download/v0.17.2/trivy_0.17.2_Linux-64bit.tar.gz
tar -xvzf trivy_0.17.2_Linux-64bit.tar.gz
mv trivy /usr/bin/
trivy

Scan a container image for HIGH severity vulnerabilities and save the results to a file.

1

trivy image --severity HIGH python:3.6.12-alpine3.11 > /root/python.txt

Scan a container image saved as a tarball and output results in JSON format.

1
2
3
4
5
6
7
8
9
10
11
12

trivy image --format  json -i alpine.tar > /root/alpine.json
root@controlplane:~# cat /root/alpine.json
root@controlplane:~# cat !$
cat /root/alpine.json
2021-05-06T08:20:06.586Z        INFO    Detecting Alpine vulnerabilities...
2021-05-06T08:20:06.587Z        INFO    Trivy skips scanning programming language libraries because no supported file was detected
[
  {
    "Target": "alpine.tar (alpine 3.13.5)",
    "Type": "alpine",
    "Vulnerabilities": null
  }
How to run trivy as a Docker image

Source: https://github.com/aquasecurity/trivy#docker

You can run Trivy directly as a Docker container without installing it locally. The container pulls the vulnerability database on first run.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

docker run ghcr.io/aquasecurity/trivy:latest image nginx:latest
Unable to find image 'ghcr.io/aquasecurity/trivy:latest' locally
latest: Pulling from aquasecurity/trivy
df9b9388f04a: Pull complete
d357a848ae49: Pull complete
feaac6a5c940: Pull complete
6132b2ff13cc: Pull complete
Digest: sha256:c97cc414cfddd63d4933c0bb511493a9636e535b0d6db0fa0153fcf232ce8bf2
Status: Downloaded newer image for ghcr.io/aquasecurity/trivy:latest
2022-06-05T19:45:32.012Z        INFO    Need to update DB
...
2022-06-05T19:46:08.396Z        INFO    Detecting Debian vulnerabilities...
2022-06-05T19:46:08.564Z        INFO    Number of language-specific files: 0

nginx:latest (debian 11.3)
==========================
Total: 138 (UNKNOWN: 0, LOW: 93, MEDIUM: 21, HIGH: 18, CRITICAL: 6)

┌──────────────────┬──────────────────┬──────────┬───────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│     Library      │  Vulnerability   │ Severity │   Installed Version   │ Fixed Version │                            Title                             │
├──────────────────┼──────────────────┼──────────┼───────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ apt              │ CVE-2011-3374    │ LOW      │ 2.2.4                 │               │ It was found that apt-key in apt, all versions, do not       │
│                  │                  │          │                       │               │ correctly...                                                 │
│                  │                  │          │                       │               │ https://avd.aquasec.com/nvd/cve-2011-3374                    │
├──────────────────┼──────────────────┼──────────┼───────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ tar              │ CVE-2005-2541    │ LOW      │ 1.34+dfsg-1           │               │ tar: does not properly warn the user when extracting setuid  │
│                  │                  │          │                       │               │ or setgid...                                                 │
│                  │                  │          │                       │               │ https://avd.aquasec.com/nvd/cve-2005-2541                    │
├──────────────────┼──────────────────┤          ├───────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ util-linux       │ CVE-2022-0563    │          │ 2.36.1-8+deb11u1      │               │ util-linux: partial disclosure of arbitrary files in chfn    │
│                  │                  │          │                       │               │ and chsh when compiled...                                    │
│                  │                  │          │                       │               │ https://avd.aquasec.com/nvd/cve-2022-0563                    │
└──────────────────┴──────────────────┴──────────┴───────────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
Challenge

Scan images in the applications and infra namespaces for the vulnerabilities CVE-2021-28831 and CVE-2016-9841. Scale those Deployments containing any of these vulnerabilities down to 0 replicas.

1
2
3
4
5
6

trivy  image  $(k get deployments.apps -n applications web1 -ojsonpath='{.spec.template.spec.containers[*].image}') | grep -E "CVE-2021-28831|CVE-2016-9841"
trivy  image  $(k get deployments.apps -n applications web2 -ojsonpath='{.spec.template.spec.containers[*].image}') | grep -E "CVE-2021-28831|CVE-2016-9841"
trivy  image  $(k get deployments.apps -n infra inf-hjk -ojsonpath='{.spec.template.spec.containers[*].image}') | grep -E "CVE-2021-28831|CVE-2016-9841"

k scale deployment -n applications web1 --replicas=0
k scale deployment -n infra inf-hjk --replicas=0
Kubernetes
cks trivy clair vulnerability scanner containers other artifacts
This post is licensed under CC BY 4.0 by the author.