Day 25: Container Security with Trivy - My 90 Days of DevOps Journey

Day 25: Container Security with Trivy - My 90 Days of DevOps Journey

ยท

4 min read

Hi DevOps Enthusiasts! Today, on Day 25 of my 90 Days of DevOps challenge, I decided to dive into the world of container security with Trivy. I've been hearing great things about it, and I'm excited to share my experience with you.

Why Trivy?

Trivy is a powerful tool that scans your container images for vulnerabilities. It's like having a security detective for your containers, uncovering potential weaknesses before they can be exploited. I'm impressed by its comprehensive approach, covering everything from the operating system to libraries and applications. This is especially important for my project, where I'm using GitLab for version control and potentially setting up a CI/CD pipeline. I want to ensure that my code, and the containers it builds, are secure from the start.

My Trivy Journey: A Hands-On Approach

Since I'm working on a Windows machine, I went straight to the Trivy website (https://aquasecurity.github.io/trivy/) to download the latest release. The official website is the best place to get the latest version of Trivy. This direct approach gives me more control over the installation process.

Project Guide: Setting Up Trivy on Windows

Here's a step-by-step guide based on my experience, incorporating the GitLab connection:

  1. Download Trivy: Head to the official Trivy website and grab the appropriate download for Windows. You'll likely get a zip file.

  2. Extract Trivy: Extract the contents of the zip file to a directory of your choice.

  3. Add Trivy to your PATH: To run Trivy from any location in your command prompt, you need to add its directory to your system's PATH environment variable.

    • Open the Control Panel: Search for "Control Panel" in the Windows search bar and open it.

    • Go to System and Security: Click on "System and Security".

    • Click on System: Click on "System".

    • Click on Advanced system settings: Click on "Advanced system settings" in the left pane.

    • Go to the Advanced tab: In the System Properties window, click on the "Advanced" tab.

    • Click on Environment Variables: Click on the "Environment Variables" button.

    • Edit the PATH variable: In the "System variables" section, find the "Path" variable and click on "Edit".

    • Add the directory: Click on "New" and add the full path to the directory where you extracted Trivy. For example, if you extracted Trivy to C:\Trivy, you would add C:\Trivy to the PATH variable.

    • Click OK to save the changes: Click "OK" on each window to save the changes you made.

  4. Verify Installation: Open a command prompt and run trivy --version. You should see the installed version of Trivy.

  5. Integrate Trivy into your GitLab CI/CD Pipeline: You can use Trivy within your GitLab CI/CD pipeline to automatically scan your container images for vulnerabilities. This ensures that every time you push code to GitLab, your container images are checked for security issues.

Code Snippets and Scripts

Here are some code snippets and scripts you can use to get started with Trivy, keeping in mind the GitLab integration:

1. Basic Scan:

trivy image <image_name>

Replace <image_name> with the name of your container image. This will scan the image for vulnerabilities and output a report.

2. Scanning a Docker Image:

trivy image docker.io/library/nginx:latest

This command scans the latest Nginx Docker image from Docker Hub.

3. Scanning a Local Image:

trivy image my-app:v1.0.0

This command scans a locally built image named "my-app" with the tag "v1.0.0".

4. Saving the Scan Results to a File:

trivy image <image_name> --output-format json > scan_results.json

This command saves the scan results in JSON format to a file named "scan_results.json".

5. Scanning a Container Registry:

trivy image registry.example.com/my-app/my-image:latest

This command scans an image from a private container registry.

6. GitLab CI/CD Integration (Example):

image: docker:latest

stages:
  - build
  - test
  - scan

build:
  stage: build
  script:
    - docker build -t my-app:latest .

test:
  stage: test
  script:
    - echo "Running tests..."

scan:
  stage: scan
  script:
    - trivy image my-app:latest

This example GitLab CI/CD pipeline defines three stages: build, test, and scan. The "scan" stage runs Trivy to scan the "my-app:latest" image.

My Trivy Workflow

Here's how I typically use Trivy, incorporating the GitLab context:

  1. Push Code to GitLab: I push my code changes to GitLab.

  2. CI/CD Pipeline Triggered: My GitLab CI/CD pipeline is triggered, which includes the Trivy scan.

  3. Trivy Scan: Trivy scans the container image built from my code for vulnerabilities.

  4. Report and Action: Trivy generates a report. If vulnerabilities are found, I investigate and remediate them.

Trivy: A Security Must-Have

Trivy has become an essential part of my container security workflow. It's a powerful tool that helps me build secure and reliable containerized applications, especially when integrated with my GitLab workflow.

Resources for Further Exploration

I hope this guide helps you get started with Trivy and integrate it into your GitLab workflow! Happy scanning, see you on Day 25

ย