Search

SafeSCARF Trivy

What is Trivy (Container security scanner)

It is a simple and comprehensive vulnerability scanner for containers. Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn etc.). Trivy is easy to use. All you need to do for scanning is to specify the image name of the container.

Most interesting features

Detect comprehensive vulnerabilities
- OS packages (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, Debian, Ubuntu, Amazon Linux, and Distroless)
  Application dependencies (Bundler, Composer, Pipenv, Poetry, npm, yarn, and Cargo)
Simple
- Specify only an image name
High accuracy
- Especially Alpine Linux and RHEL/CentOS
- Other OSes are also high
DevSecOps
- Suitable for CI such as Travis CI, CircleCI, Jenkins, GitLab, etc.

For more information you can visit this pages:

Trivy basic, installation and examples → https://0x1.gitlab.io/security/Trivy/
Official Trivy webpage → https://www.aquasec.com/products/trivy/

Snippets for Trivy

To add your “safescarf_URL” visit the portal and find it there. It is unique for your instance. To put correct “engagement ID” visit this page here.

Image scan

scan-docker-image-trivy:
  stage: test
  image:
    name: registry.safescarf.pan-net.cloud/trivy
    entrypoint: [""]
  variables:
    SAFESCARF_HOST: "safescarf_URL"
    SAFESCARF_ENG_ID: "put_your_ID"
    IMAGE: "image_path"
  script: |-
          ci-connector --version
          time trivy image --format json \
            --output "$CI_PROJECT_DIR/trivy-container-scanning-report.json" "$IMAGE"
          ci-connector upload-scan --scanner 'Trivy Scan' -e $SAFESCARF_ENG_ID -f "$CI_PROJECT_DIR/trivy-container-scanning-report.json"

FileSystem scan

scan-rootfs-trivy:
  stage: sec-test
  image:
    name: registry.safescarf.pan-net.cloud/trivy
    entrypoint: [""]
  variables:
    SAFESCARF_HOST: "safescarf_URL"
    SAFESCARF_ENG_ID: "put_your_ID"
    TEST_NAME: safescarf_rootfs_scan
  script: |-
          time trivy rootfs --format json \
             --output "$CI_PROJECT_DIR/trivy-container-scanning-report.json" $CI_PROJECT_DIR
          ci-connector upload-scan --scanner 'Trivy Scan' --test-name $TEST_NAME -e $SAFESCARF_ENG_ID -f "$CI_PROJECT_DIR/trivy-container-scanning-report.json"