Your Docker Image Is Probably Vulnerable (Trivy)

Englishالعربية Deutsch Español Français हिन्दी Bahasa Indonesia 日本語 한국어 Português Русский 中文

Computing/SoftwareSmall Business/StartupsInternet Technology

Transcript

00:00:0087% of Docker images on Docker Hub contain critical or high vulnerabilities.

00:00:04So statistically, the image you're about to deploy?

00:00:08Yeah, it's probably vulnerable somewhere, somehow.

00:00:11And the scary part is you won't notice because everything still builds,

00:00:14everything still runs. Until it doesn't.

00:00:16This is Trivi, an open source tool that can find the problem in seconds with zero install.

00:00:21We have videos coming out all the time, be sure to subscribe.

00:00:29Trivi has blown up on GitHub with over 32,000 stars and it's being used more and more every day.

00:00:34And you'd expect a tool like this to only scan containers, but no, it actually scans everything.

00:00:40Containers, local file systems, Git repos, Kubernetes, misconfigurations, you name it.

00:00:45And it's even the default scanner in GitLab.

00:00:48This is infrastructure.

00:00:50And in the next 30 odd seconds or something, I'm going to show you how to put this to use.

00:00:53It's easy enough to actually make it usable, too.

00:00:56All right, no install here. The only real thing I did was clone their Git repo,

00:01:00as they have test containers, we can put this to run for quick use.

00:01:04Only other thing you have to do is open up Docker.

00:01:07Now in my terminal here in VS Code, we can just drop this line, which can be found in the docs.

00:01:12That's really it.

00:01:14Docker now pulls Trivi, runs it, scans the official Nginx image, and boom.

00:01:21Critical vulnerabilities will pop up if there are any to begin with, right here.

00:01:26Here's where it starts saving you, because if this is a real pipeline,

00:01:29you don't want to report, you want a hard stop on that program.

00:01:32Now, if it finds a critical vulnerability, exit code one,

00:01:36your pipeline is going to fail, and then the build is blocked.

00:01:39So the thing you expected, security tools just slow you down, Trivi kind of changes this here.

00:01:45This speeds you up because it prevents the rollback later.

00:01:49Now, cool, but container scanning is the easy part.

00:01:51The real issues usually come from what we commit.

00:01:54So yeah, containers are cool, but bad code is worse.

00:01:57Let's scan a disaster Docker file here.

00:01:59Again, this is just in the Trivi repo.

00:02:01Okay, I'm going to cd into Trivi demo.

00:02:03Now you can see here it catches insecure practices and problems like insecure base images,

00:02:07missing user directives, privileged configurations, outdated dependencies, you name it.

00:02:12It's going to kind of pick this up for us.

00:02:14This is what you want in CI, not after deployment before merge.

00:02:18Because if it gets merged, it becomes everyone's problem.

00:02:22Now fix the Docker file, run it again.

00:02:24It's all clean and ready to go.

00:02:26And if you're thinking, yeah, my repo is huge, good.

00:02:30That's exactly where this is most useful actually,

00:02:32because there are other tools out there that I'm going to touch on in a second.

00:02:35Now let's point it at an entire repo.

00:02:38File system scan dependencies, misconfigurations, everything.

00:02:41Since I'm using this repo, we can see if it all checks out relatively well.

00:02:45So where does this actually live day to day and what are people actually doing with this?

00:02:50You'd think that this is just a one-time scan tool, but it's not.

00:02:54Trivi fits into the places you already work.

00:02:56In local development, there's the VS code extension in CI, three lines of GitHub actions.

00:03:02And if you're in Kubernetes, Trivi operator auto scans every workload in your cluster.

00:03:07You just need one command in your pipeline.

00:03:09Some reports are showing supply chain attacks are up over 400%.

00:03:12Devs have always been a part of the security side of things, so this helps out.

00:03:17The best security tools don't slow you down, they block problems and more work down the line.

00:03:22I found Trivi to be pretty cool, but is this actually better than others?

00:03:26Because there are some.

00:03:26So let's be honest, there's other scanners out there.

00:03:29You may have already been using them.

00:03:31We got gripe, but it's containers only.

00:03:34Then there's snike, but costs money.

00:03:37Both of those are a reason that many others are turning to Trivi.

00:03:41It's fast, it's free.

00:03:42It handles things like containers, secret, SBOMs, Kubernetes file systems, all that stuff.

00:03:48It's kind of a more all-in-one tool.

00:03:50So if this is new to you, if it's not, what are your thoughts on Trivi?

00:03:53We'll see you in another video.

Key Takeaway

Trivy provides a fast, free, and comprehensive security scanning solution that prevents costly rollbacks by identifying vulnerabilities and misconfigurations before code is ever merged or deployed.

Highlights

Approximately 87% of Docker Hub images contain critical or high-level security vulnerabilities.

Trivy is an open-source, zero-install tool with over 32,000 GitHub stars used for comprehensive scanning.

The tool scans containers, local file systems, Git repositories, and Kubernetes configurations.

Trivy can be integrated into CI/CD pipelines to trigger a 'hard stop' via exit codes if vulnerabilities are found.

It addresses the 400% increase in supply chain attacks by shifting security left in the development lifecycle.

Compared to competitors like Grype or Snyk, Trivy is noted for being both all-in-one and free of cost.

Timeline

The Hidden Dangers of Docker Images

The speaker opens with a staggering statistic stating that 87% of images on Docker Hub harbor critical or high vulnerabilities. This section emphasizes that most deployments are likely vulnerable even if the build and execution processes appear successful. Trivy is introduced as an open-source solution capable of identifying these hidden problems in seconds with no formal installation required. The narrator argues that the 'scary part' is the lack of visible symptoms until a failure actually occurs. This sets the stage for why automated scanning tools have become essential for modern infrastructure.

Introduction to Trivy's Capabilities

Trivy has gained massive popularity on GitHub, amassing over 32,000 stars due to its versatility. Unlike traditional scanners that focus solely on containers, Trivy analyzes local file systems, Git repos, and Kubernetes environments. It has become the default scanner for GitLab, proving its reliability in professional infrastructure settings. The speaker notes that the tool also identifies misconfigurations that could lead to security breaches. This versatility allows it to function as a comprehensive security gatekeeper for various types of digital assets.

Practical Implementation and Pipeline Integration

The demonstration shows how to run Trivy using a single Docker command found in the official documentation, requiring no local setup. By scanning an official Nginx image, the tool quickly identifies any critical vulnerabilities present in the software. A key feature discussed is the use of 'exit code one' to create a hard stop in CI/CD pipelines if threats are detected. This mechanism prevents insecure code from moving forward, which the speaker argues actually speeds up development by avoiding future rollbacks. By blocking problems early, the tool shifts security responsibilities to a more manageable stage of the workflow.

Scanning Dockerfiles and Repositories

This segment focuses on scanning source code and Dockerfiles, where many real security issues originate from human error. The speaker demonstrates scanning a 'disaster Dockerfile' to catch insecure practices like privileged configurations and outdated dependencies. Identifying these issues before a merge is critical because once merged, a vulnerability becomes a collective problem for the entire team. Trivy handles large repositories efficiently, scanning the entire file system for secrets and misconfigurations simultaneously. The goal is to ensure a clean state before the code ever reaches the deployment phase.

Deployment Environments and Market Comparison

Trivy integrates into daily workflows through VS Code extensions, GitHub Actions, and a dedicated Kubernetes operator for live cluster monitoring. With supply chain attacks reportedly up over 400%, these integrations provide a necessary layer of defense for developers. The speaker compares Trivy to other tools, noting that Grype is limited to containers and Snyk often carries a financial cost. Trivy stands out as an all-in-one, free, and fast alternative that handles SBOMs, secrets, and cloud-native configurations. The video concludes by inviting viewers to share their experiences with the tool in their own development environments.

Community Posts

No posts yet. Be the first to write about this video!

Write about this video