Container vulnerability scanning with Aqua Trivy
Overview
The purpose of this post is to document the key steps required to install and run Trivy to fit my workflow for performing vulnerability scans of container images.
Installation
Follow these instructions to add Trivy repository to a Debian/Ubuntu machine’s list of apt sources and install the tool.
Image Scans
The following command runs Trivy against a target container image and will return a table of vulnerability findings.
trivy image [TARGET_IMAGE_NAME]
Useful Flags
| Flag | Description |
|---|---|
--reset |
Remove previously downloaded vulnerability data from the Trivy database |
--output |
Specify the output file name |
--format |
Specify the output format (default=table) |
--severity HIGH,CRITICAL |
Return only HIGH and CRITICAL severity vulnerabilities |
Periodic Scanning
I have a number of containers deployed in my homelab that I would like to periodically scan with Trivy in order to understand what known vulnerabilities exist for them. Rather than repeatedly typing trivy image... commands, I put together the following script to run multiple scans with one command.
Whenever I deploy a new container I simply update this script to include the container image for scanning.
In future I could schedule this script to be run regularly using cron, but for now that’s not necessary.
#!/bin/bash
echo "Scanning uptime-kuma..."
echo " "
trivy image louislam/uptime-kuma:1 --severity HIGH,CRITICAL --output uptime-kuma-results
echo " "
echo "Scan results saved to uptime-kuma-results"
echo "---------------------------------------------"
echo " "
echo "Scanning heimdall..."
echo " "
trivy image lscr.io/linuxserver/heimdall:latest --severity HIGH,CRITICAL --output heimdall-results
echo " "
echo "Scan results saved to heimdall-results"
echo "---------------------------------------------"
echo " "
echo "Scanning portainer..."
echo " "
trivy image portainer/portainer-ce:latest --severity HIGH,CRITICAL --output portainer-results
echo " "
echo "Scan results saved to portainer-results"
echo "---------------------------------------------"
echo " "
echo "Scanning guacamole..."
echo " "
trivy image oznu/guacamole:latest --severity HIGH,CRITICAL --output guacamole-results
echo " "
echo "Scan results saved to guacamole-results"
echo "---------------------------------------------"
echo " "
echo "Scanning wikijs..."
echo " "
trivy image linuxserver/wikijs:latest --severity HIGH,CRITICAL --output wikijs-results
echo " "
echo "Scan results saved to wikijs-results"
echo "---------------------------------------------"
echo " "
echo "Scanning complete, launching web server..."
echo " "
python3 -m http.server 8001
At the end of the script a local webserver is launched on the host to enable the results files to be viewed / downloaded from another machine on the network.