{"id":6542,"date":"2024-03-22T14:56:00","date_gmt":"2024-03-22T14:56:00","guid":{"rendered":"https:\/\/beta.bluetab.net\/?p=6542"},"modified":"2024-04-03T21:42:27","modified_gmt":"2024-04-03T21:42:27","slug":"container-vulnerability-scanning-with-trivy","status":"publish","type":"post","link":"https:\/\/bluetab.co.uk\/en\/container-vulnerability-scanning-with-trivy\/","title":{"rendered":"Container vulnerability scanning with Trivy"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Container vulnerability scanning
with Trivy<\/h1>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t
\"\"<\/a><\/figure>

\u00c1ngel Maroco<\/a><\/h4>

AWS Cloud Architect<\/p><\/div><\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t

\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t<\/i>\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t<\/i>\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Within the framework of security in container<\/span>, the build phase is of vital importance as\u00a0we\u00a0need to select the base image on which applications will run. Not having automatic mechanisms for vulnerability scanning can lead to production environments with insecure applications with the risks that involves.<\/p>

In this article we will cover vulnerability scanning using Aqua Security\u2019s\u00a0Trivy<\/strong>\u00a0solution, but before we begin, we need to explain what the basis is for these types of solutions for identifying vulnerabilities in Docker images.<\/p>

Introduction to CVE (Common Vulnerabilities and Exposures)<\/strong><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

CVE<\/a>\u00a0is a list of information maintained by\u00a0MITRE Corporation<\/a>\u00a0which is aimed at centralising the records of known security vulnerabilities, where each reference has a CVE-ID number, description of the vulnerability, which versions of the software are affected, possible fix for the flaw (if any) or how to configure to mitigate the vulnerability and references to publications or posts in forums or blogs where the vulnerability has been made public or its exploitation is demonstrated.<\/p>

The CVE-ID provides a standard naming convention for uniquely identifying a vulnerability. They are classified into 5 typologies, which we will look at in the\u00a0Interpreting the analysis<\/a>\u00a0section.\u00a0These types are assigned based on\u00a0<\/span>different<\/span>\u00a0metrics<\/span>\u00a0(if you are curious, see\u00a0CVSS Calculator v3<\/a>).<\/p>

CVE has become the standard for vulnerability recording, so it is used by the great majority of technology companies and individuals.<\/p>

There are various channels for keeping informed of all the news related to vulnerabilities:\u00a0official blog<\/a>,\u00a0Twitter<\/a>,\u00a0cvelist<\/a>\u00a0on GitHub and\u00a0LinkedIn<\/a>.<\/p>

If you want more detailed information\u00a0<\/span>about<\/span>\u00a0a vulnerability<\/span>, you can also consult the NIST website, specifically the\u00a0NVD<\/a>\u00a0(National Vulnerability Database).<\/p>

We invite you to search for one of the following critical vulnerabilities. It is quite possible that they have affected you directly or indirectly. We should forewarn you that they have been among the most discussed\u00a0\"data-src=\"<\/p>