Skip to main content

Analysis

Scanning Docker images for security issues is an essential practice in DevSecOps to identify vulnerabilities and risks in container images before deploying them to a production environment. The Trivy tool stands out as a valuable solution for carrying out this type of analysis. Trivy scans Docker images for known vulnerabilities in libraries and dependencies, helping development and operations teams take proactive steps to mitigate security risks.

Trivy​

Vulnerability scanning: Trivy uses an extensive database of known vulnerabilities in libraries and software packages to identify security issues in Docker images.

CI/CD integration: Trivy can be easily incorporated into CI/CD pipelines to automate the scanning of container images at every stage of the development cycle, from build to deployment.

Fast scanning: Trivy is known for its fast scanning speed, allowing you to quickly identify potential security issues without slowing down the development process.

Cross-platform compatibility: Trivy supports a variety of platforms and container registries, making it easy to deploy in heterogeneous environments.

Integration with container orchestrators: Trivy can be used with popular container orchestrators such as Kubernetes to ensure that images used in clusters are secure.

Detailed reports: Provides detailed reports on vulnerabilities found, including information on impact and possible solutions.

Regular updates: The Trivy vulnerability database is updated regularly to ensure that assessments are based on the latest security information.

Customization: Trivy allows you to customize scanning policies and set severity thresholds to customize responses to detected vulnerabilities.

GitLab integration​

To integrate trivy in the CI we are going to use the latest version of the official image instead of using the digest as we have done throughout the project in order to have the latest vulnerability information available.

.gitlab-ci.yml
docker_scan:
  stage: build_test
  dependencies: ["docker_build"]
  variables:
    DD_SCAN_TYPE: "Trivy Scan"
    DD_PRODUCT_NAME: "Trivy"
    DD_SCAN_ACTIVE: "true"
    DD_SCAN_VERIFIED: "false"
  image:
    name: docker.io/aquasec/trivy:latest
    entrypoint: [""]
  script:
    - mkdir -p scan_result
    - cd tar_images
    - |
      for tar_image in *.tar; 
      do
        [ -e "$tar_image" ] || continue;
        file_name=${tar_image%.*};
        trivy image --timeout 15m --offline-scan --input $tar_image -f json -o ../scan_result/$file_name.json --severity CRITICAL; 
      done
    - | 
      cd ../scan_result
      ls;
      vulns=false;
      for result in *.json;
      do
        [ -e "$result" ] || continue;
        file_name=${result%.*};
        vulnerabilities=$(awk -F '[:,]' '/"Vulnerabilities"/ {gsub("[[:blank:]]+", "", $2); print $2}' "$file_name.json");
        if ! [ -z "$vulnerabilities" ]; then 
          vulns=true;
          DD_SCAN_FILE=$file_name.json;
          bash .gitlab-ci/defectdojo-finding.sh
        fi
      done
      if [ "$vulns" = true ]; then
        exit 1;
      fi
  artifacts:
    paths:
      - scan_result
    expire_in: 1 month

The job named docker_scan is located in the "build_test" stage and depends on the previous job named "docker_build". Its main function is to perform a security scan on the Docker images that were built in the previous job using a tool called "Trivy Scan" and then send the results to DefectDojo.

  • dependencies: ["docker_build"]: This stage depends on the successful outcome of the docker_build stage, which allows us to perform the analysis

  • variables: Defines several environment variables to be used in the process of analysis and sending results to DefectDojo. These variables include the type of analysis, the name of the product, the activation of the analysis and its verification status.

  • image: This job uses the Docker image "docker.io/aquasec/trivy:latest" to run the security analysis.

  • script: In this section, a script is executed that performs the following actions:

    • The job starts by creating a directory called "scan_result" to store the scan results.
    • Next, access the directory containing the previously built Docker images ("tar_images"). It uses a loop to iterate over all images in "tar" format and runs the security analysis with "Trivy". The scan results are stored in JSON files in the "scan_result" directory.
    • After completing the security analysis of each image, the job checks whether critical vulnerabilities were found in the analysis.
    • If vulnerabilities are detected, the job sets the variable "DD_SCAN_FILE" with the name of the JSON file containing the details of the vulnerabilities. Then, call the script "defectdojo-finding.sh" to send these results to DefectDojo.
    • If there are vulnerabilities the job ends with exit 1 giving error.

  • artifacts: The analysis results are stored as artifacts and kept for one month. This means that the results of the analysis are available for review and audit during that period.