在云和容器流行的今天,每个企业都在使用容器(云)来构建自己的基础架构。容器技术给我们带来了极大的方便,一键拉个镜像,一键启动就可以部署成功应用。然而,由此却带来了一些安全风险,基于镜像、基础库和源码仓库都有可能成为潜在的漏洞点(甚至可能被投毒),为了避免相关风险,对其进行安全扫描必不可少,今天虫虫就给大家介绍一个这样的专门开源免费扫描工具——Trivy。概述Trivy是一个简单而全面的扫描器,用于检测容器镜像、文件系统和Git存储库中的漏洞以及配置问题。Trivy检测操作系统包(Alpine、RHEL、CentOS 等)和特定编程语言包(Bundler、Composer、npm、yarn 等)的漏洞。 此外,Trivy扫描基础设施即代码 (IaC) 文件,例如 Terraform、Dockerfile 和Kubernetes,从中发现部署中面临攻击风险和潜在配置问题的等。Trivy易于使用。基于Golang语言开发,只需下载对应平台的二进制文件,就可以进行扫描了。安装Trivy安装非常简单,如果有Golang环境的可以Clone源码仓自己编译构建。或者使用发行版的包安装器安装,比如CentOS:sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO – aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add –
echo deb aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivyUbuntu安装:sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO – aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add –
echo deb aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivyTrivy也支持容器方式部署:docker pull aquasec/trivy:0.20.2然后直接启动容器:docker run –rm -v [YOUR_CACHE_DIR]:/root/.cache/ aquasec/trivy:0.20.2 [YOUR_IMAGE_NAME]如果想要扫主机上的镜像,可能需要挂载docker.sock,例如:docker run –rm -v /var/run/docker.sock:/var/run/docker.sock \
-v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:0.20.2 python:3.4-alpine使用镜像的扫描非常简单,其基本格式为“trivy 命令 参数”的方式:扫描镜像漏洞镜像的扫描非常简单只需指定镜像名称即可(和标签)。trivy image [YOUR_IMAGE_NAME]例如:trivy image python:3.4-alpine结果相关包的漏洞扫描文件系统中的漏洞和错误配置只需指定要扫描的目录。trivy fs –security-checks vuln,config [YOUR_PROJECT_DIR]例如,我们指定一个tidb的源码目录扫描下:trivy fs –security-checks vuln,config tidb/结果扫描目录中的错误配置只需指定一个包IaC文件的目录就行,例Terraform和Dockerfile。trivy config [YOUR_IAC_DIR]例如,我们还是指定tidb源码的当前目录扫描trivy config ./结果集成作为一个容器扫描的工具,当然其最大的用武之处就是,继承到cicd或者DevSecOps中,对项目自动化持续扫描,下面是给出一个gitlab-ci的例子()stages:
– test
trivy:
stage: test
image: docker:stable
services:
– name: docker:dind
entrypoint: ["env", "-u", "DOCKER_HOST"]
command: ["dockerd-entrypoint.sh"]
variables:
DOCKER_HOST: tcp://docker:2375/
DOCKER_DRIVER: overlay2
DOCKER_TLS_CERTDIR: ""
IMAGE: trivy-ci-test:$CI_COMMIT_SHA
before_script:
– export TRIVY_VERSION=$(wget -qO – " api.github /repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
– echo $TRIVY_VERSION
– wget –no-verbose githubaquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz -O – | tar -zxvf –
allow_failure: true
script:
# Build image
– docker build -t $IMAGE .
# Build report
– ./trivy –exit-code 0 –cache-dir .trivycache/ –no-progress –format template –template "@contrib/gitlab.tpl" -o gl-container-scanning-report.json $IMAGE
# Print report
– ./trivy –exit-code 0 –cache-dir .trivycache/ –no-progress –severity HIGH $IMAGE
# Fail on severe vulnerabilities
– ./trivy –exit-code 1 –cache-dir .trivycache/ –severity CRITICAL –no-progress $IMAGE
cache:
paths:
– .trivycache/
# Enables gitlab/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold)
artifacts:
reports:
container_scanning: gl-container-scanning-report.json结合gitlab-ci进行容器扫描的例子:image:
name: docker.io/aquasec/trivy:latest
entrypoint: [""]
variables:
# No need to clone the repo, we exclusively work on artifacts.
GIT_STRATEGY: none
TRIVY_USERNAME: "$CI_REGISTRY_USER"
TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"
TRIVY_AUTH_URL: "$CI_REGISTRY"
FULL_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
script:
– trivy –version
# cache cleanup is needed when scanning images with the same tags, it does not remove the database
– time trivy image –clear-cache
# update vulnerabilities db
– time trivy –download-db-only –no-progress –cache-dir .trivycache/
# Builds report and puts it in the default workdir $CI_PROJECT_DIR, so `artifacts:` can take it from there
– time trivy –exit-code 0 –cache-dir .trivycache/ –no-progress –format template –template "@/contrib/gitlab.tpl"
–output "$CI_PROJECT_DIR/gl-container-scanning-report.json" "$FULL_IMAGE_NAME"
# Prints full report
– time trivy –exit-code 0 –cache-dir .trivycache/ –no-progress "$FULL_IMAGE_NAME"
# Fail on critical vulnerabilities
– time trivy –exit-code 1 –cache-dir .trivycache/ –severity CRITICAL –no-progress "$FULL_IMAGE_NAME"
cache:
paths:
– .trivycache/
# Enables gitlab/user/application_security/container_scanning/
artifacts:
when: always
reports:
container_scanning: gl-container-scanning-report.json
tags:
– docker-runner当然Trivy也支持GitHub Actions,CircleCI,Travis CI,AWS CodePipeline,AWS Security Hub等CI流程的持续集成,可以参见官方网站Advanced文档部分。总结Trivy是一个简单、全面、云原生的开源免费安全扫描器,可以让我们的容器云基础设施更加安全合规,每个企业都应该值得关注和使用。
本文出自快速备案,转载时请注明出处及相应链接。
