Scan WSO2 Docker Images with Trivy
Every once in a while, security evolves to the point where it appears to be quite frightening to think about. Security considerations and protocols must be in place before releasing applications to a production environment in order to protect your assets. In an effort to contribute to the safety and security of your containerized applications, we are going to explore an important side of security through this blog.
Trivy (tri pronounced like trigger, vy pronounced like envy) is a simple and comprehensive scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues. Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and language-specific packages (Bundler, Composer, npm, yarn, etc.).
We’re focusing on container scans in this article. A Trivy scan analyses the base image of your Dockerfile for unsolved vulnerabilities that your containers may inherit. Trivy can also inspect operating system packages and source code dependencies that have been added using popular package managers.
Installing Trivy
Trivy can be installed in a number of Linux distributions as well as on MacOS. Installation of Trivy on Ubuntu will be covered on this blog. You can refer to the this blog for other operating systems.
You can either use Trivy’s repository or install it directly from its DEB source. To install from repository, add the following repo then proceed to install Trivy.
sudo apt-get install wget apt-transport-https gnupg lsb-releasewget -qO — https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee /etc/apt/sources.list.d/trivy.listsudo apt-get install wget apt-transport-https gnupg lsb-release
After adding the Trivy repository, update your server and install trivy package as follows:
sudo apt-get update sudo apt-get install trivy
After you will need to get the latest Trivy release then run the commands below: as follows:
wget wget https://github.com/aquasecurity/trivy/releases/download/
v0.21.0/trivy_0.20.2_Linux-64bit.debsudo apt install ./trivy_0.20.2_Linux-64bit.deb
To check run the below command, on successful installation you will get the following output:
trivy
Docker Image Scanning
Docker image scanning is a process of identifying known security vulnerabilities in the packages of your Docker image. This gives you the opportunity to find vulnerabilities in container images and fix them before pushing the image to a registry or running them as a container.
Trivy detects vulnerabilities of OS packages and also application dependencies. Before pushing to a container registry or deploying your application, you can scan your local container image and other artifacts easily. Hence, this gives you the confidence that all is well with your application without more stressful configurations to use like other scanners.
Now let us scan an image for vulnerability in it. In the below scan we are going to scan an nginx image of latest version.
trivy image <YOUR_IMAGE_NAME>
ex: trivy image nginxIf you’ve different tags for the same docker image you can use the following command.
trivy image <YOUR_IMAGE_NAME>:<TAG>
ex: trivy image nginx:latest
You can also filter the vulnerabilities according to the severity level (high, critical, medium, low, unknown). Use the below command.
trivy image --severity <SEVERITY_LEVEL> <YOUR_IMAGE_NAME>:<TAG>
ex: trivy image --severity CRITICAL nginx:latest
It would be easier if we could document this information in a text file rather than checking it out here. Use the following command to get the details into a text file.
trivy image --output <FILE_NAME> --severity <SEVERITY_LEVEL> <YOUR_IMAGE_NAME>:<TAG>ex: trivy image --output critical-vuln.txt --severity CRITICAL nginx:latest
WSO2 Docker Images Scanning
If you’re not familiar with the WSO2 docker images, I’ll give a brief introduction. First, you need to login to the WSO2 docker registry by executing the following command.
docker login docker.wso2.comIt will prompt to log in to your WSO2 account, enter the username and password.
Now you can pull required images with the following commands. This will pull the latest version of the WSO2 product images with all the updates up to date.
docker pull docker.wso2.com/<PRODUCT_NAME>
ex: docker pull docker.wso2.com/wso2isIf you want a particular version tag, you can pull it using the following command.
docker pull docker.wso2.com/wso2is:<VERSION_TAG>
ex: docker pull docker.wso2.com/wso2is:5.11.0.72-alpineNow you can scan the pulled docker image using the Trivy with the above mentioned commands.
ex:
trivy image docker.wso2.com/wso2is:5.11.0.72-alpinetrivy image --output alphine.txt --severity MEDIUM docker.wso2.com/wso2is:5.11.0.72-alpine
Happy reading!
References
[1] https://github.com/aquasecurity/trivy
[2] https://computingforgeeks.com/scan-docker-container-images-with-trivy/
[3]https://medium.com/@sajithekanayaka/how-to-obtain-wum-updated-wso2-docker-images-b0f045edf3b3
