Kubernetes: Trivy for container scanning from CLI


Categories: Kubernetes

Trivy is an open-source tool that can scan your containers and produce reports on known critical issues at the binary and OS package level.

In this article, I will describe how to scan images directly from your local Debian/Ubuntu machine, whether you built the image locally or pulled it down remotely.

Installation on Debian/Ubuntu

Per the official installation documentation, install Trivy as follows:

sudo apt-get install wget apt-transport-https gnupg
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install -y trivy

Validate

# ensure trivy is installed and on PATH
trivy version

# check standard location for HTML template
ls -l /usr/local/share/trivy/templates/html.tpl

Scanning locally built images

If you have already installed Docker and have locally built images, then you can run a scan as follows.

# list locally available image names and version
docker images

# scan a local image, outputs results in table form
trivy image <NAME>:<VERSION>

# if instead you wanted json report
trivy image <NAME>:<VERSION> -f json -o report.json

Trivy will output a list of vulnerabilities and their severity.

Scanning remote images

You can scan remote images (e.g. DockerHub) by either specifying the remote registry, or manually pulling it down first and then running the scan.  For example, here is how you would scan the Alpine 3.20.1 image on DockerHub.

# trivy will pull down and scan
trivy image docker.io/alpine:3.20.1

# OR pull down manually and scan
docker pull alpine:3.20.1
trivy image alpine:3.20.1

Generating HTML report

If you want to generate a human-readable report, you can use the HTML template that comes as part of the installation.

trivy image --format template --template "@/usr/local/share/trivy/templates/html.tpl" <NAME>:<VERSION> -o report.html

Which produces a report that will look similar to below.

REFERENCES

Trivy documentation

DockerHub alpine tags

Installing Docker on Debian/Ubuntu

stackovervlow, generate HTML report from Trivy

trivy docs, outputting json report

Aqua Security enhancements for licensed product