Securing Container Image using trivy in CICD Pipeline

Hello Everyone I hope you guys are doing well. In this blog, I am going to explain how we can free our docker images from vulnerability. There are numerous tools to scan the docker images but I am going to use one of the awesome tool trivy by aquasec. I will walk you through installing it to integrate it into Jenkins CICD pipeline.

What is Trivy ?

Trivy is a simple and comprehensive scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues.

How to install?

Installing trivy is easy and simple. You can use the latest binary release from Trivy official GitHub repo.

https://github.com/aquasecurity/trivy/releases

In this blog, we will be going to automate trivy in the CICD pipeline. Trivy will scan the docker images in every build and publish the report in HTML format so that it’s easy to access the report by developers.

Let’s first install trivy in our Jenkins server.

$ curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin

Verify the successful installation of it.

$ trivy --version

Trivy in action to scan a docker image.

$ trivy image nginx:alpine

Adding Trivy Stage in jenkins CICD Pipeline

We verified that trivy is working fine on the server. Now we will be adding trivy to our Jenkins pipeline.

I hope you have basic knowledge about the Jenkins pipeline. We will be using a separate stage to scan the docker images. Let’s add a stage Trivy Scan just after the build stage(Where docker images is build).

stage('Trivy Scan') {
steps {
script {
sh """trivy image --format template --template \"@/home/vijeta1/contrib/html.tpl\" --output trivy_report.html XXXXXXX.dkr.ecr.ap-south-1.amazonaws.com/${params.SERVICE}:${BUILD_NUMBER} """

}

}
}

In Trivy Scan stage it will simply execute trivy command to scan the recent docker image. Moreover, we will be using a template flag to save our scan report in HTML format.

Make sure that the path of the template is correct and that the template should be on the Jenkins server. Also in my case, I am using Jenkins user for the pipeline script. So, don’t forget to provide the permission of the template to the Jenkins user. You can do easily using command

$ chown -R jenkins:jenkins

Publishing Trivy Scan Reports

After successful execution of Trivy Scan stage. The stage created an HTML report of the vulnerabilities present in the docker image and saved it to the file trivy_report.html. Let’s publish the Trivy HTML reports in Jenkins. At the end of the pipeline script add

post {
always {
archiveArtifacts artifacts: "trivy_report.html", fingerprint: true

publishHTML (target: [
allowMissing: false,
alwaysLinkToLastBuild: false,
keepAll: true,
reportDir: '.',
reportFiles: 'trivy_report.html',
reportName: 'Trivy Scan',
])
}
}

This will publish Trivy HTML reports in Jenkins in each build.

You can open the report for each build and can look for the vulnerabilities in it. So that you start fixing it to make your Docker images more secure.

Thanks for reading, hope you learned something new. Do clap and share if you like.

Twitter: 7he_unlucky_guy

--

--

Security Engineer | Never Forgive Never Forget

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store