Skip to content

Shift Left Security in your Cloud-Native Environment with Trivy

What is Trivy?

Trivy is an open-source scanning tool that finds vulnerabilities and misconfigurations in cloud-native infrastructures and application stacks. It can be used to scan filesystems, (remote) Git repositories, virtual machine images, container images, Kubernetes, and AWS. Trivy supports Infrastructure-as-Code (IaC) security scanning covering Docker, Kubernetes, Terraform, and CloudFormation.

Trivy has gained a lot of popularity in the DevOps and security community. It aligns with the DevSecOps approach, allowing easy integration with CI/CD systems. Trivy’s ecosystem includes several extensions that are built for CI/CD platforms, such as GitLab CI, GitHub Actions, Azure DevOps, Bitbucket, Semaphore, CircleCI, and others.

When it comes to security, shifting left is essential for ensuring the integrity of the environment. Vulnerabilities can be detected and fixed early in the software development lifecycle, reducing the risk of security breaches after deployment to production. Trivy can detect issues like Docker images designed to run as root, Kubernetes manifests that need privileged access to a node’s filesystem, or a Terraform script that configures a publicly accessible S3 bucket.

What are the common uses for Trivy?

Trivy is used for:

  • Common vulnerabilities and exposures (CVE) finding

You can scan container images, filesystems, and Git repositories to detect CVEs. Trivy also detects vulnerabilities in a wide range of operating systems and programming languages, across different versions and vulnerability sources. The vulnerability database is updated with information from the National Vulnerability Database (NVD), RHEL/CentOS, Debian, Ubuntu, Arch Linux, and more. Trivy uses the advisory database from the relevant OS vendor for packages installed using OS package managers (dpkg, yum, apk, etc.). For other packages, it will use the GitLab and GitHub databases.

  • IaC issues and misconfiguration detection

Trivy can parse popular cloud-native template formats—Kubernetes, Docker, Terraform, and CloudFormation—and apply rules based on security practices. You can use the built-in policies to detect misconfiguration or you can write your custom policies in Rego to scan JSON or YAML files. Trivy also has integrations with Visual Studio Code and JetBrains to give developers IaC scanning capabilities as they write their code.

  • Secrets and sensitive information

Trivy scans container images, filesystems, and git repositories for exposed secrets such as passwords, tokens, and API keys. There are 50+ built-in rules you can use for secret scanning, including AWS, GCP, GitHub, GitLab, Bitbucket, Stripe, Atlassian, Grafana, HashiCorp, Facebook, Twitter, LinkedIn, and Slack, to name a few.

  • Compliance / Benchmark Scanning

NSA/CISA Kubernetes compliance

Kubernetes CIS Benchmark Scanning

Docker CIS Benchmark Scanning

  • Software Bill of Materials (SBOM) discovery

An SBOM is a list of all the components, libraries, modules, and their dependencies, used in building a particular piece of software application. SBOMs are important for security, compliance, and audit purposes.

With Trivy, you can generate SBOMs in the CycloneDX standard for container images, or other artifacts like a filesystem or a repository.

How can you use Trivy for Kubernetes?

Trivy can scan a full cluster, a specific namespace, or a specific resource. The results can be filtered by severity or security check—misconfiguration, secrets, or vulnerabilities.

The Trivy K8s CLI can be run locally or it can be integrated into the CI/CD pipeline. The K8s CLI allows users to scan Kubernetes cluster resources and generate an NSA/CISA Kubernetes compliance report to strengthen the environment.

Trivy CLI is great for on-demand scans and automation pipelines but it does not detect changes of in-cluster, running resources. For this reason, there’s also a Trivy K8s operator that handles continuous cluster audit scanning. The operator can be deployed inside a Kubernetes cluster where it will monitor state changes and initiates a vulnerability scan whenever a resource is deployed or updated.

What are the benefits of Trivy?

Trivy is a consolidated tool that checks a range of valuable features:

  • Reliable

The vulnerability database is updated every six hours via the associated Aqua Security GitHub repository. A new version of Trivy is released monthly.

  • Fast

A cold run scan takes only a few seconds while a recurring run is almost instantaneous.

  • Easy to install

Trivy is a single binary with no dependencies and runs on every OS and CPU.

  • Versatile

You can scan local or remote images, archived or extracted, on multiple container engines.

  • Production-fit

It is the default integrated scanner for Harbor, Artifact Hub, and GitLab’s Container Scanning functionality.

  • Free

Trivy is truly open source, licensed under the Apache 2.0 software license.

In conclusion

Implementing shift left security principles can ensure that cloud-native apps are secure and compliant from development to production.

Data breach consequences resulting from cloud attacks range from unplanned expenses to fix security gaps to compliance fines, lawsuits, decrease in sales, or loss of competitive edge. According to a recent Statista survey, “seven percent of respondents answered that their companies suffered losses worth over 500,000 U.S. dollars because of cloud cyber threats”.

Integrating Trivy into your process helps find vulnerabilities and configuration issues earlier in the software development lifecycle, reducing the time and cost associated with fixing them later.

Want to know more?

For expert insights on the market readiness of Trivy, check out Devoteam’s 2023 TechRadar.