Integrate security into CI/CD with the Trivy scanner

Attacks on cloud-native infrastructures are on the rise. Research over a six-month period in 2021 shows a 26% increase in attacks on container environments over the previous six months. Malicious actors are targeting the auto-build process, packing the payloads, using rootkits, and compromising misconfigured APIs—often within less than an hour from setup.

Automating vulnerability scanning into development processes can reduce the likelihood of successful attacks and help protect containerized workloads. One of the leading tools that enables this is Aqua Security’s Trivy, an easy-to-use open source vulnerability scanner that helps teams “shift left” to incorporate security into the build pipeline. 

Since its inception just a few years ago, Trivy has gained widespread popularity and broad support for its simple approach and comprehensive vulnerability tracking across both OS packages and language-specific dependencies. The Cloud Native Computing Foundation’s end user community selected Trivy as a top devsecops tool for the 2021 CNCF End User Technology Radar. Trivy has been adopted by many leading cloud-native platforms and software providers, including Litmus, Kyverno, Istio, and ExternalDNS; it is the default scanner for Harbor, GitLab, and Artifact Hub; and Microsoft Azure Defender’s CI/CD scanning is powered by Trivy.

Trivy has evolved a great deal since its creation, and our focus on simplicity and effectiveness makes it a critical tool within any developer’s toolkit. In this article, I’d like to walk you through how Trivy integrates security into the build process, share some recent advancements, and explain how Trivy fits into the broader Aqua Security open source ecosystem for securing the full life cycle of cloud-native applications. 

How Trivy works

The cloud-native security journey begins with gaining visibility into vulnerabilities that exist in code. Identifying and mitigating issues in the development stage reduces the attack surface and eliminates risk. For cloud-native applications, this involves scanning images and functions as they are being built, to detect issues early and allow for quick remediation, as well as continuously scanning registries to account for newly discovered vulnerabilities.

Trivy enables devops teams to set up and start scanning as fast as development requires. Deployment and integration into the CI/CD pipeline is as simple as downloading and installing the binary. Trivy can be integrated into CI tools, such as Travis CI, CircleCI, and GitLab CI. Trivy can be set to fail the job run if a vulnerability is found. Trivy is also available as a GitHub Action, which enables easy integration with GitHub code scanning. Developers can build container image scanning into their GitHub Actions workflow to find and eliminate vulnerabilities before they reach production.

Copyright © 2021 IDG Communications, Inc.

Source link

Leave a Comment

Your email address will not be published. Required fields are marked *