- Take me to the Video Tutorial
In this section, we will take a look at Scan images for known vulnerabilities (Trivy).
-
CVE is short for Common Vulnerabilities and Exposures.
-
Each CVE gets what is called a severity score for severity rating (between 0 to 10 or None, Low, Medium, High, Critical).
-
Container scanners look for vulnerabilities in the execution environment. More specifically, such a scanner looks at applications included in that container and tells you what vulnerabilities they are known to have. So, for example, it seems that you have nginx version 1.14.2 in there. Based on this version, it can then tell you a list of known vulnerabilities for that particular version.
-
Trivyis a simple and comprehensive vulnerability scanner for containers and other artifacts. A software vulnerability is a glitch, flaw, or weakness present in the software or in an Operating System. Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.). Trivy is easy to use. Just install the binary and you're ready to scan. All you need to do for scanning is to specify a target such as an image name of the container.
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
trivy image nginx:1.18.0
docker save nginx:1.18.0 > nginx.tar
trivy image --input nginx.tar