Combine safety into CI/CD with the Trivy scanner
Assaults on cloud-native infrastructures are on the rise. Analysis over a six-month interval in 2021 exhibits a 26% improve in assaults on container environments over the earlier six months. Malicious actors are focusing on the auto-build course of, packing the payloads, utilizing rootkits, and compromising misconfigured APIs—usually inside lower than an hour from setup.
Automating vulnerability scanning into improvement processes can scale back the chance of profitable assaults and assist defend containerized workloads. One of many main instruments that permits that is Aqua Safety’s Trivy, an easy-to-use open supply vulnerability scanner that helps groups “shift left” to include safety into the construct pipeline.
Since its inception only a few years in the past, Trivy has gained widespread reputation and broad assist for its easy strategy and complete vulnerability monitoring throughout each OS packages and language-specific dependencies. The Cloud Native Computing Basis’s finish person group chosen Trivy as a high devsecops device for the 2021 CNCF Finish Consumer Expertise Radar. Trivy has been adopted by many main cloud-native platforms and software program suppliers, together with Litmus, Kyverno, Istio, and ExternalDNS; it’s the default scanner for Harbor, GitLab, and Artifact Hub; and Microsoft Azure Defender’s CI/CD scanning is powered by Trivy.
Trivy has developed a fantastic deal since its creation, and our concentrate on simplicity and effectiveness makes it a essential device inside any developer’s toolkit. On this article, I’d prefer to stroll you thru how Trivy integrates safety into the construct course of, share some latest developments, and clarify how Trivy suits into the broader Aqua Safety open supply ecosystem for securing the complete life cycle of cloud-native purposes.
How Trivy works
The cloud-native safety journey begins with gaining visibility into vulnerabilities that exist in code. Figuring out and mitigating points within the improvement stage reduces the assault floor and eliminates danger. For cloud-native purposes, this includes scanning photos and features as they’re being constructed, to detect points early and permit for fast remediation, in addition to constantly scanning registries to account for newly found vulnerabilities.
Trivy permits devops groups to arrange and begin scanning as quick as improvement requires. Deployment and integration into the CI/CD pipeline is so simple as downloading and putting in the binary. Trivy will be built-in into CI instruments, equivalent to Travis CI, CircleCI, and GitLab CI. Trivy will be set to fail the job run if a vulnerability is discovered. Trivy can be obtainable as a GitHub Motion, which permits straightforward integration with GitHub code scanning. Builders can construct container picture scanning into their GitHub Actions workflow to search out and remove vulnerabilities earlier than they attain manufacturing.
Not like different open supply scanners, Trivy offers complete visibility throughout working system packages and programming language packages. It fetches vulnerability knowledge quicker than different instruments, so scanning takes seconds, and significant CVEs will be filtered instantly within the command line.
Trivy has a compact database, with auto-update capabilities that don’t require exterior middleware or database dependencies. Trivy will robotically maintain the database up-to-date by downloading the newest pre-built model from GitHub. This permits the device to be extraordinarily quick and environment friendly. The device offers outcomes for mounted and unfixed vulnerabilities, and low false positives for working methods equivalent to Alpine Linux.
Current Trivy developments
Trivy was developed with a powerful emphasis on usability, efficiency, and efficacy, and the developments remodeled the previous few years have supported these foundational ideas. We’ve added capabilities that support devops groups and their processes, whereas guaranteeing that the device stays extremely efficient and straightforward to make use of.
Along with container picture scanning, Trivy now helps scanning for file methods and Git repositories. These capabilities assist to bolster container safety finest practices, equivalent to sustaining a set of base photos which might be well-maintained and safe. For instance, Aqua Safety lately pulled a pattern of official Docker photos utilizing the Docker Hub API after which scanned these photos for vulnerabilities. We discovered that many photos have been operating unsupported working methods, together with older variations of Debian or Alpine, and that in some circumstances, the official photos have been now not supported.
We additionally discovered photos with giant numbers of unpatched vulnerabilities however no formal deprecation data. This consists of Nuxeo (186), Backdrop (173), Kaazing Gateway (95), and CentOS (86). The final of those, CentOS, had been downloaded greater than seven million instances between July 29 and August 10, 2021. Having an efficient scanner like Trivy can be certain that improvement groups are utilizing well-maintained and safe base photos, decreasing the danger of exploitation.
Trivy now additionally works as a shopper and server. These options are straightforward to arrange and begin utilizing. An official Helm chart is offered, in order that the Trivy server will be put in in a Kubernetes cluster, and Redis is supported as a cache again finish for scale.
Our most up-to-date addition is the power to scan configuration information of infrastructure-as-code (IaC) instruments equivalent to Kubernetes, Docker, and Terraform, to detect misconfigurations. Trivy can parse generally used cloud-native codecs after which apply a algorithm that encode good safety practices. This enables for fast identification of attainable safety points and alternatives for hardening software artifacts, equivalent to Dockerfiles and Kubernetes manifests.
Terraform scanning leverages the wonderful ruleset from the Tfsec challenge, which lately joined the Aqua open supply software program ecosystem. There are units of checks masking the three main cloud suppliers, and it’s attainable to make use of the Tfsec rulebase in a number of places, serving to to make sure constant coverage software by the event course of.
Future Trivy enhancements will add IaC scanning assist for Ansible, CloudFormation, and Helm. Different updates will add Trivy assist for the lately launched AlmaLinux, Rocky Linux, and different new working methods, plus develop assist for programming languages and introduce assist for software program invoice of fabric (SBOM).
An open supply ecosystem for cloud-native safety
Trivy is a part of Aqua’s portfolio of open supply cloud-native safety tasks. We see open supply as a approach to democratize safety and likewise educate engineering, safety, and devops groups by accessible instruments, decreasing the talents hole and automating safety controls into cloud-native pipelines nicely earlier than purposes go into manufacturing. Our different open supply tasks embody:
- Tracee: Detects suspicious behaviors at runtime utilizing eBPF tracing and research-driven behavioral signatures.
- Tfsec: Offers Terraform scanning with a run-anywhere design that ensures that vulnerabilities are recognized earlier than deployment, no matter complexity.
- Starboard: A Kubernetes-native safety toolkit for scanning photos utilized by workloads in a Kubernetes cluster.
- Kube-bench: Winner of a 2018 InfoWorld Bossie Award, Kube-bench robotically determines whether or not Kubernetes is configured in line with suggestions within the CIS Kubernetes benchmark.
- Kube-hunter: A penetration testing device that searches for weaknesses in Kubernetes clusters, so directors, operators, and safety groups can establish and deal with any points earlier than attackers are in a position to exploit them.
- CloudSploit: Offers cloud safety posture administration (CSPM), evaluating cloud account and repair configurations in opposition to safety finest practices.
- Appshield: A set of insurance policies for detecting misconfigurations, particularly safety points, in configuration information and infrastructure-as-code definitions.
These tasks combine with Aqua’s Cloud Native Utility Safety Platform and with many generally used devops ecosystem instruments to assist drive quicker adoption of cloud-native applied sciences and processes, whereas sustaining safety. They’re supported by Aqua’s open supply crew, which operates individually from business engineering. We consider this enables us to maintain our dedication to offering long-term assist, creating in-demand options with high-quality code, and regularly contributing to different tasks throughout the open supply group.
Teppei Fukuda is an open supply software program engineer at Aqua Safety.
New Tech Discussion board offers a venue to discover and talk about rising enterprise expertise in unprecedented depth and breadth. The choice is subjective, based mostly on our choose of the applied sciences we consider to be essential and of best curiosity to InfoWorld readers. InfoWorld doesn’t settle for advertising and marketing collateral for publication and reserves the proper to edit all contributed content material. Ship all inquiries to [email protected].
Copyright © 2021 IDG Communications, Inc.