在云和容器流行的今天,每个企业都在使用容器(云)来建立自己的基础设施。容器技术给我们带来了极大的便利,一键拉一个镜像,一键启动就可以部署成功的应用。然而,它带来了一些安全风险,基于镜像、基础库和源仓库可能成为潜在的漏洞点(甚至中毒),为了避免相关风险,安全扫描至关重要,今天昆虫将介绍这样一个特殊的开源免费扫描工具——Trivy。
Trivy用于检测容器镜像、文件系统和Git仓库中的漏洞及配置问题。Trivy检测操作系统包(Alpine、RHEL、CentOS 等等)和特定编程语言包(Bundler、Composer、npm、yarn 等)漏洞。 此外,Trivy扫描基础设施即代码 (IaC) 文件,例如 Terraform、Dockerfile 和Kubernetes,发现部署中存在攻击风险和潜在配置问题。
Trivy易于使用。基于Golang语言开发只需下载相应平台的二进制文件即可扫描。
安装Trivy安装很简单,如果有的话Golang环境的可以Clone源码仓自行编译构建。或使用发行版包装安装器安装,比如CentOS:
sudo apt-get install wget apt-transport-https gnupg lsb-releasewget -qO - aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -echo deb aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.listsudo apt-get updatesudo apt-get install trivy
Ubuntu安装:
sudo apt-get install wget apt-transport-https gnupg lsb-releasewget -qO - aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -echo deb aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.listsudo apt-get updatesudo apt-get install trivy
Trivy还支持容器部署:
docker pull aquasec/trivy:0.20.2
然后直接启动容器:
docker run --rm -v[YOUR_CACHE_DIR]:/root/.cache/ aquasec/trivy:0.20.2[YOUR_IMAGE_NAME]
想扫主机上的镜像,可能需要吊载docker.sock,例如:
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \\-v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:0.20.2 python:3.4-alpine使用
镜像扫描很简单,其基本格式为trivy 命令 参数:
扫描镜像很简单,只需要指定镜像名称(和标签)。
trivy image[YOUR_IMAGE_NAME]
例如:
trivy image python:3.4-alpine
结果
相关包装的漏洞
只需指定扫描目录。
trivy fs --security-checks vuln,config[YOUR_PROJECT_DIR]
例如,我们指定一个tidb扫描源码目录:
trivy fs --security-checks vuln,config tidb/
结果
只需指定一个包IaC以文件目录为例Terraform和Dockerfile。
trivy config[YOUR_IAC_DIR]
例如,我们仍然指定它tidb扫描当前目录的源代码
trivy config ./
结果
当然,作为一种容器扫描工具,它最大的用途是,继承到cicd或者DevSecOps持续扫描项目自动化,以下是给出一个gitlab-ci的例子()
stages:- testtrivy:stage: testimage: docker:stableservices:- name: docker:dindentrypoint:["env", "-u", "DOCKER_HOST"]command:["dockerd-entrypoint.sh"]variables:DOCKER_HOST: 电脑 tcp://docker:2375/DOCKER_DRIVER: overlay2DOCKER_TLS_CERTDIR: ""IMAGE: trivy-ci-test:$CI_COMMIT_SHAbefore_script:- export TRIVY_VERSION=$(wget -qO - " api.github /repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"])".*/\\1/')- echo $TRIVY_VERSION- wget --no-verbose githubaquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz -O - | tar -zxvf -allow_failure: truescript:# Build image- docker build -t $IMAGE .# Build report- ./trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@contrib/gitlab.tpl" -o gl-container-scanning-report.json $IMAGE# Print report- ./trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --severity HIGH $IMAGE# Fail on severe vulnerabilities- ./trivy --exit-code 1 --cache-dir .trivycache/ --severity CRITICAL --no-progress $IMAGEcache:paths:- .trivycache/# Enables gitlab/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold)artifacts:reports:container_scanning: gl-container-scanning-report.json
结合gitlab-ci容器扫描的例子:
image:name: docker.io/aquasec/trivy:latestentrypoint:[""]variables:# No need to clone the repo, we exclusively work on artifacts.GIT_STRATEGY: noneTRIVY_USERNAME: "$CI_REGISTRY_USER"TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"TRIVY_AUTH_URL: "$CI_REGISTRY"FULL_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUGscript:- trivy --version# cache cleanup is needed when scanning images with the same tags, it does not remove the database- time trivy image --clear-cache# update vulnerabilities db- time trivy --download-db-only --no-progress --cache-dir .trivycache/# Builds report and puts it in the default workdir $CI_PROJECT_DIR, so `artifacts:` can take it from there- time trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@/contrib/gitlab.tpl"--output "$CI_PROJECT_DIR/gl-container-scanning-report.json" "$FULL_IMAGE_NAME"# Prints full report- time trivy --exit-code 0 --cache-dir .trivycache/ --no-progress "$FULL_IMAGE_NAME"# Fail on critical vulnerabilities- time trivy --exit-code 1 --cache-dir .trivycache/ --severity CRITICAL --no-progress "$FULL_IMAGE_NAME"cache:paths:- .trivycache/# Enables gitlab/user/application_security/container_scanning/artifa
ct
