Detection: Container Vulnerability Test with trivy

Introduction

Use trivy to scan Vulnerability image

What is trivy?

Shift left using Aqua Trivy, the fastest way for DevOps and security teams to get started with vulnerability and infrastructure as code (IaC) scanning.

Container Vulnerability

Create vulnerability pod which container image nginx:1.14.2 and scan vulnerability with opensource trivy lastly create a report in ~/Desktop/image-report.txt and delete the pod.1. Install Trivy: https://aquasecurity.github.io/trivy/v0.18.3/installation/

  • on mac with brew:
$ brew install aquasecurity/trivy/trivy

2. Create Vulnerabilities pod with nginx:1.14.2

3. Use Trivy to Scan the Images Used in Pods

4. Create a report in the specific location in ~/Desktop/image-report.txt.

  • ~/etc/image-report.txt

5. Delete Pods That Have Container Images with Severe Vulnerabilities

Example

1. Install Trivy and Check the trivy version.

$ trivy --version
Version: 0.24.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-03-02 06:07:07.99504083 +0000 UTC
  NextUpdate: 2022-03-02 12:07:07.99504023 +0000 UTC
  DownloadedAt: 2022-03-02 07:01:35.023999 +0000 UTC

2. Create Vulnerabilities pod with nginx:1.14.2

$ kubectl run vun-pod --image=nginx:1.14.2
pod/vun-pod created

3 Use Trivy to Scan the Images Used in Pods

$ trivy image nginx:1.14.2 > ~/Desktop/image-report.txt

4. Delete Pods That Have Container Images with Severe Vulnerabilities

$ kubectl get pod -A --output=custom-columns="NAME:.metadata.name,NAMESPACE:.metadata.namespace,IMAGE:.spec.containers[*].image"
NAME                               NAMESPACE     IMAGE
vun-pod                            default       nginx:1.14.2
cilium-jnpw4                       kube-system   quay.io/cilium/cilium:v1.11.2@sha256:4332428fbb528bda32fffe124454458c9b716c86211266d1a03c4ddf695d7f60
cilium-operator-5f6c65555d-mrg6h   kube-system   quay.io/cilium/operator-generic:v1.11.2@sha256:4c8bea6818ee3e4932f99e9c1d7efa88b8c0f3cd516160caec878406531e45e7
coredns-64897985d-pw8tc            kube-system   k8s.gcr.io/coredns/coredns:v1.8.6
etcd-minikube                      kube-system   k8s.gcr.io/etcd:3.5.1-0
kube-apiserver-minikube            kube-system   k8s.gcr.io/kube-apiserver:v1.23.3
kube-controller-manager-minikube   kube-system   k8s.gcr.io/kube-controller-manager:v1.23.3
kube-proxy-4dlkn                   kube-system   k8s.gcr.io/kube-proxy:v1.23.3
kube-scheduler-minikube            kube-system   k8s.gcr.io/kube-scheduler:v1.23.3
storage-provisioner                kube-system   gcr.io/k8s-minikube/storage-provisioner:v5
$ kubectl delete pod vun-pod -n default 
Posted in K8S

Leave a Reply

Your email address will not be published.

ANOTE.DEV