In this blog, we will install and examine a new tool called Trivy, which helps identify vulnerabilities, misconfigurations, licenses, secrets, and software dependencies in the following,

1.Container image

2.Kubernetes Cluster

3.Virtual machine image

4.FileSystem

5.Git Repo

6.AWS


Requirements,

1.One Virtual Machine

2.Above mentioned tools anyone


Step 1 : Install Trivy

Exceute below command based on your OS,

For Mac : 

brew install trivy

For other OS, please refer below link,
https://aquasecurity.github.io/trivy/v0.45/getting-started/installation/



Step 2 : Check an image with Trivy,

Let's try with the latest Nginx web server image to identify security vulnerabilities.

Execute the below command,

Syntax : trivy image <image name > : <version>

trivy image nginx:latest



It will provide a detailed view of the image, including the base image, each layer's information, and their vulnerability status in the report.


Step 3 : Check a github repo with Trivy,

Example github repo, https://github.com/akveo/kittenTricks.git

Execute the following command to check for vulnerabilities in the Git repo,

trivy repo https://github.com/akveo/kittenTricks.git

If you want to see only critical vulnerabilities, you can specify the severity using the following command,

trivy repo --severity CRITICAL  https://github.com/akveo/kittenTricks.git



Step 4: Check a YAML file with Trivy,

I have used below yaml from k8s website to check this,

https://k8s.io/examples/application/deployment.yaml

Execute the below command to find the misconfiguration in the yaml,

trivy conf nginx.yaml



Step 5 : Check terraform script with Trivy,

I have used below sample tf script to check it,

https://github.com/alfonsof/terraform-aws-examples/tree/master/code/01-hello-world

Execute the below command to find the misconfiguration in the tf script,

trivy conf 01-hello-world



Thats all, We have installed the Trivy tool and validated it in each category. Thank you for reading!!!


References,

https://github.com/aquasecurity/trivy
https://aquasecurity.github.io/trivy/v0.45/docs/





Post a Comment

Previous Post Next Post