Container security

Trivy

• GitHub
• Docs

Config

• Configuration
• Cli options can be exported as env vars (i.e. --debug -> TRIVY_DEBUG=true trivy ...)

Usage

Show the different trivy component versions (core, Vulnerability DB, Check Bundle) together with download times:

trivy --version

Scan local filesystem (i.e. to check a Containerfile, next to others):

trivy config .

Scan container image:

trivy image php:8.4.4-apache-bullseye
trivy image php:8.4.4-apache-bullseye | head -5  # Hide details
TRIVY_IGNORE_UNFIXED=true trivy image php:8.4.4-apache-bullseye # Only show fixed CVEs

Ignore checks

Docs: Filtering

Ignore checks with a .trivyignore

• Docs: .trivyignore

$ cat .trivyignore
# Root file system is not read-only
# https://avd.aquasec.com/misconfig/kubernetes/general/avd-ksv-0014/
AVD-KSV-0014

Inline ignores

• Docs: Ignore by Inline Comments
• Only work in certain files, i.e. OpenTofu files, doesn't seem to work in Containerfile i.e.
• i.e.: #trivy:ignore:AVD-GCP-0051

pre-commit hook

• GitHub

Usage:

- repo: https://github.com/mxab/pre-commit-trivy.git
  rev: v0.12.0
  hooks:
    - id: trivyconfig-docker
      args:
        - Containerfile