Legacy Haven University

Tag: container security

  • Lab: Securing Docker Images with Trivy Automation

    Vulnerabilities in container images expose organizations to supply chain attacks and runtime exploits. Trivy detects these issues early by scanning for known vulnerabilities, misconfigurations, secrets, and licenses in Docker images and their dependencies. Security teams integrate Trivy into CI/CD pipelines to enforce secure builds and block vulnerable images from reaching production.

    Prerequisites

    Install Docker on your workstation. Verify with docker –version. Install Trivy via the official binary or as a Docker container. For the binary, download the latest release from the Aqua Security GitHub repository and add it to your PATH. Create a sample project directory with a basic Dockerfile.

    Step 1: Build a Test Docker Image

    Navigate to your project directory. Create a Dockerfile that pulls a base image known to contain vulnerabilities for demonstration:

    dockerfile

    FROM python:3.9-slim

WORKDIR /app
COPY . .

CMD ["python", "--version"]

    Build the image:

    Bash

    docker build -t myapp:v1 .

    This command layers the base image and your application code into a new artifact.

    Step 2: Run a Manual Trivy Scan

    Execute Trivy against the local image to surface vulnerabilities:

    Bash

    trivy image myapp:v1

    Trivy pulls the vulnerability database if needed, then analyzes OS packages, application dependencies, and image configuration. Review the output table. It lists severity levels (CRITICAL, HIGH, MEDIUM, LOW), CVE identifiers, package names, installed versions, and fixed versions where available. Focus first on CRITICAL and HIGH findings, as attackers actively exploit these.

    Filter results to prioritize actionable issues:

    Bash

    trivy image --severity CRITICAL,HIGH myapp:v1

    Use –exit-code 1 to make the scan fail on severe vulnerabilities, which proves essential for automation:

    Bash

    trivy image --severity CRITICAL,HIGH --exit-code 1 myapp:v1

    Step 3: Interpret Trivy Results

    Trivy categorizes findings across scanners:

    • vuln: Identifies CVEs in OS and language-specific packages.
    • misconfig: Detects insecure Dockerfile directives or runtime settings.
    • secret: Uncovers hardcoded credentials.
    • license: Flags problematic open-source licenses.

    For each vulnerability, cross-reference the fixed version and apply updates in your Dockerfile or dependency files. Rebuild and rescan iteratively until the image passes your policy thresholds. Trivy also generates reports in multiple formats:

    Bash

    trivy image --format json --output results.json myapp:v1
trivy image --format table --output report.txt --severity HIGH,CRITICAL myapp:v1

    Step 4: Automate Scans in CI/CD Pipelines

    Embed Trivy into your workflow to shift security left. Here is a GitHub Actions example:

    YAML

    name: Trivy Security Scan

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

jobs:
  build-and-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Build Docker image
        run: docker build -t myapp:${{ github.sha }} .

      - name: Run Trivy scan
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'myapp:${{ github.sha }}'
          format: 'table'
          exit-code: '1'
          severity: 'CRITICAL,HIGH'

    This workflow builds the image on every push or PR, scans it, and fails the pipeline if critical or high vulnerabilities exist. Adapt the logic for GitLab CI, Jenkins, or Azure DevOps by invoking the trivy CLI in equivalent pipeline stages.

    For local development, create a Makefile or script:

    makefile

    scan:
	trivy image --severity CRITICAL,HIGH --exit-code 1 myapp:v1

    Step 5: Remediate and Harden Images

    Address findings systematically: Update base images to minimal, distroless, or hardened variants (e.g., python:3.9-slim to a more recent secure tag or Chainguard image). Pin dependency versions and run pip install –upgrade where safe. Minimize image layers and remove build tools in final stages with multi-stage builds. Scan the Dockerfile itself for misconfigurations:

    Bash

    trivy config .

    Enable Trivy cache for faster repeated scans:

    Bash

    trivy image --cache-dir /path/to/cache myapp:v1

    Step 6: Enforce Policies and Continuous Monitoring

    Define severity thresholds and integrate Trivy with admission controllers like Kyverno or OPA Gatekeeper in Kubernetes. Schedule periodic rescans of registry images with Trivy in cron jobs or dedicated pipeline triggers. Generate SBOMs for compliance:

    Bash

    trivy image --format cyclonedx --output sbom.cdx myapp:v1

    Monitor Trivy updates regularly, as new vulnerability data arrives daily.

    Operational Best Practices

    Run Trivy in CI/CD on every build and before deployment. Combine it with runtime tools like Falco for defense-in-depth. Treat base image updates as routine maintenance, not one-off events. Document scan results in your security dashboard and track remediation velocity. Automate notifications for new critical findings via webhooks.

    Master Trivy and you establish a robust container security posture that aligns with CAS-005 principles of vulnerability management, secure configuration, and supply chain risk mitigation. Practice this lab end-to-end, then extend it to your production images. Secure builds compound into resilient deployments.