Simplify Cloud Native Security with Trivy

© 2022 Aqua Security Software Ltd., All Rights Reserved
Teppei Fukuda / August 5th, 2022
Simplify Cloud Native Security with Trivy

CloudNative Security Conference 2022

View Slide

Teppei Fukuda
Open Source Team, Aqua Security
@knqyf263
@knqyf263
2

View Slide

3
Overview of Cloud Native Security

Where to start

How Trivy helps

Summary
Agenda

View Slide

4
App
Infra
Run
Build Deploy
Code
CD
Artifact registry
Functions
VMs
Containers
Cloud accounts
Code (custom, 3rd party,
OSS)
Image
IaC
Git Orchestrator
CI
The Application Development Lifecycle

View Slide

5
App
Infra
Run
Build Deploy
Code
CD
Artifact registry
Functions
VMs
Containers
Cloud accounts
OSS)
Image
IaC
Git Orchestrator
CI
Artifact Scanning Runtime

View Slide

6
Cloud Native Application Protection Platforms (CNAPP)
Dev Ops
Sec
Artifact Scanning
Cloud Configuration
Runtime Protection
Gartner, Inc.

Innovation Insight for Cloud-Native Application Protection Platforms
SAST/DAST

API scanning

Secrets scanning

Malware scanning

Software Composition Analysis (SCA)
Infrastructure as Code scanning

Network Configuration and Security Policy

Cloud Infrastructure Entitlements Mgmt

Kubernetes Security Posture Management (KSPM)

Cloud Security Posture Management (CSPM)
Web Application and API Protection

Application Monitoring

Cloud Workload Protection Platform (CWPP)

Network Segmentation

Workload Vulnerability/Config

View Slide

7
Dev Ops
Sec
Artifact Scanning
Cloud Configuration
Runtime Protection
Gartner, Inc.

Gitleaks gosec
Open Source Security Tools

View Slide

8
Dev Ops
Sec
Artifact Scanning
Cloud Configuration
Runtime Protection
Gartner, Inc.

Gitleaks gosec
Open Source Security Tools
Where to start…?

View Slide

9
App
Infra
Run
Build Deploy
Code
CD
Artifact registry
Functions
VMs
Containers
Cloud accounts
OSS)
Image
IaC
Git Orchestrator
CI
Artifact Scanning Runtime

View Slide

10
App
Infra
Run
Build Deploy
Code
CD
Artifact registry
Functions
VMs
Containers
Cloud accounts
OSS)
Image
IaC
Git Orchestrator
CI
Which stage to secure

View Slide

11
Dev
SCA

IaC Scanning

SAST/DAST

Fuzzing

Secrets Scanning
Preventing security from

slowing down development
Trust your Code
Preventing vulnerable artifacts

from deploying
Scan cloud deployments for security
issues like misconfigurations
DevOps / DevSecOps
Container Image Scanning

- Vulnerabilities

- Secrets

- Malware, etc.

Supply Chain Security
Secure your Artifact
Infrastructure / Cloud / Security
CSPM

KSPM

Network Configuration

Harden your Deployment
Security Operations
AV

EDR

IDS/IPS/WAF

Container / VMs / Server
 
Protection
Visibility and protection for cloud

native development
Handle Attack

View Slide

12
Dev
SCA

IaC Scanning

SAST/DAST

Fuzzing

Secrets Scanning

Trust your Code

from deploying
DevOps / DevSecOps

- Vulnerabilities

- Secrets

- Malware, etc.

Build

View Slide

13

from deploying
DevOps / DevSecOps

- Vulnerabilities

- Secrets

- Malware, etc.

CSPM

KSPM

Dev
SCA

IaC Scanning

SAST/DAST

Fuzzing

Secrets Scanning

Trust your Code
Deploy

View Slide

14
Dev
SCA

IaC Scanning

SAST/DAST

Fuzzing

Secrets Scanning

Trust your Code

from deploying
DevOps / DevSecOps

- Vulnerabilities

- Secrets

- Malware, etc.

CSPM

KSPM

Security Operations
AV

EDR

IDS/IPS/WAF

 
Protection

native deployments
Handle Attack
Attack
Prevent
Detect

Block

View Slide

15
Dev
SCA

IaC Scanning

SAST/DAST

Fuzzing

Secrets Scanning

Trust your Code

from deploying
DevOps / DevSecOps

- Vulnerabilities

- Secrets

- Malware, etc.

CSPM

KSPM

Security Operations
AV

EDR

IDS/IPS/WAF

 
Protection

native deployments
Handle Attack
Attack
Deploy
Build

View Slide

16
Shifting Left
High Low
Priority
Dev
SCA

IaC Scanning

SAST/DAST

Fuzzing

Secrets Scanning

Trust your Code

from deploying
DevOps / DevSecOps

- Vulnerabilities

- Secrets

- Malware, etc.

CSPM

KSPM

Security Operations
AV

EDR

IDS/IPS/WAF

 
Protection

native deployments
Handle Attack

View Slide

17
Why shifting security left matters
https://cloud.google.com/blog/products/identity-security/shift-left-on-google-cloud-security-invest-now-save-later

View Slide

18
Invest early, save later
Dev
SCA

IaC Scanning

SAST/DAST

Fuzzing

Secrets Scanning

Trust your Code

from deploying
DevOps / DevSecOps

- Vulnerabilities

- Secrets

- Malware, etc.

CSPM

KSPM

Security Operations
AV

EDR

IDS/IPS/WAF

 
Protection

native deployments
Handle Attack
Still too much

View Slide

19
https://www.darkreading.com/vulnerabilities---threats/missing-patches-misconfiguration-top-technical-breach-causes/d/d-id/1337410

View Slide

Number of known vulnerabilities
20
•Log4Shell

•Spring4Shell

•ProxyShell

•ProxyLogon

•ZeroLogon

View Slide

21
https://www.trendmicro.com/vinfo/pl/security/news/virtualization-and-cloud/data-on-123-million-us-households-exposed-due-to-misconfigured-aws-s3-bucket
https://www.darkreading.com/attacks-breaches/misconfigured-elasticsearch-instance-exposes-more-than-5-billion-records/d/d-id/1337368
https://www.computerweekly.com/news/252435544/Unprotected-Kubernetes-consoles-expose-firms-to-cryptojacking
Misconfiguration-Caused Breach

View Slide

22
Start with Patch & Misconfiguration Scanning
Dev
SCA

IaC Scanning

SAST/DAST

Fuzzing

Secrets Scanning

Trust your Code

from deploying
DevOps / DevSecOps

- Vulnerabilities

- Secrets

- Malware, etc.

CSPM

KSPM

Security Operations
AV

EDR

IDS/IPS/WAF

 
Protection

native deployments
Handle Attack

View Slide

23
What's Trivy?
The Swiss Army Knife for Security Scanning
• Started as a vulnerability scanner for container images

• Joined Aqua Security in 2019
https://github.com/aquasecurity/trivy

View Slide

24
Highlights
Comprehensive

Security

Issues
Easy Setup
High Accuracy

View Slide

25
Vulnerability Scanning

• Alpine Linux

• Debian

• Python

• Go

• Java

• etc.

View Slide

26
Scan filesystem for vulnerabilities
$ trivy fs [YOUR_PROJECT_DIR]

View Slide

$ trivy fs ./myproject
Pipfile.lock
============
Total: 9 (UNKNOWN: 1, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)
+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
| django | CVE-2020-7471 | HIGH | 2.0.9 | 3.0.3, 2.2.10, 1.11.28 | django: potential |
| | | | | | SQL injection via |
| | | | | | StringAgg(delimiter) |
+ +------------------+----------+ +------------------------+------------------------------------+
| | CVE-2019-19844 | MEDIUM | | 3.0.1, 2.2.9, 1.11.27 | Django: crafted email address |
| | | | | | allows account takeover |
+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
27
Scan your project including a lock file with "filesystem" or "fs" subcommand
Scan filesystem for vulnerabilities

View Slide

28
Scan git repository
$ trivy repo [REPOSITORY_URL]
e.g.

$ trivy repo github.com/aquasecurity/tracee

View Slide

29
Infrastructure as Code (IaC) scanning

• Terraform

• CloudFormation

• Kubernetes

• Helm chart

• Dockerfile

View Slide

30
Misconfiguration scanning
$ trivy fs --security-checks config [YOUR_PROJECT_DIR]

View Slide

31
Misconfiguration scanning

View Slide

32
Helm chart scanning
Demo

View Slide

33
Custom policies
package user.kubernetes.ID001
import lib.result
__rego_metadata__ := {
"id": "ID001",
"title": "Deployment not allowed",
"severity": "LOW",
"description": "Deployments are not allowed because of some reasons.",
}
__rego_input__ := {
"selector": [
{"type": "kubernetes"},
],
}
deny[res] {
input.kind == "Deployment"
msg := sprintf("Found deployment '%s' but deployments are not
allowed", [input.metadata.name])
res := result.new(msg, input)
}
OPA/Rego

View Slide

34
Dev
SCA

IaC Scanning

SAST/DAST

Fuzzing

Secrets Scanning

Trust your Code

from deploying
DevOps / DevSecOps

- Vulnerabilities

- Secrets

- Malware, etc.

CSPM

KSPM

Security Operations
AV

EDR

IDS/IPS/WAF

 
Protection

native deployments
Handle Attack
Build
Developer Security

View Slide

35
Visual Studio Code and JetBrains
https://marketplace.visualstudio.com/items?itemName=AquaSecurityOfficial.trivy-vulnerability-scanner

View Slide

36
Scan container images for vulnerabilities
Dev
SCA

IaC Scanning

SAST/DAST

Fuzzing

Secrets Scanning

Trust your Code

from deploying
DevOps / DevSecOps

- Vulnerabilities

- Secrets

- Malware, etc.

CSPM

KSPM

Security Operations
AV

EDR

IDS/IPS/WAF

 
Protection

native deployments
Handle Attack

View Slide

37
Container image scanning
$ trivy image [YOUR_IMAGE_NAME]

View Slide

38
Example
$ trivy image alpine:3.10.7
2021-07-13T18:16:52.490+0300 INFO Detected OS: alpine
2021-07-13T18:16:52.490+0300 INFO Detecting Alpine vulnerabilities...
alpine:3.10.7 (alpine 3.10.7)
=============================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)
+------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+------------+------------------+----------+-------------------+---------------+---------------------------------------+
| apk-tools | CVE-2021-30139 | HIGH | 2.10.4-r2 | 2.10.6-r0 | In Alpine Linux apk-tools |
| | | | | | before 2.12.5, the tarball |
| | | | | | parser allows a buffer... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-30139 |
+------------+------------------+ +-------------------+---------------+---------------------------------------+
| busybox | CVE-2021-28831 | | 1.30.1-r4 | 1.30.1-r5 | busybox: invalid free or segmentation |
| | | | | | fault via malformed gzip data |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-28831 |
+------------+------------------+----------+-------------------+---------------+---------------------------------------+

View Slide

39
• OS packages

• Debian / Ubuntu

• Red Hat Enterprise Linux / CentOS

• Alpine Linux

• Amazon Linux

• Oracle Linux

• openSUSE / SUSE Enterprise Linux

• Photon OS

• Google Distroless

• AlmaLinux / Rocky Linux

• CBL-Mariner
• Language-specific packages

• Ruby

• PHP

• Python

• JavaScript / Node.js

• Rust

• Java

• Go

• .NET
Detect comprehensive vulnerabilities

View Slide

Integrations

View Slide

41
Continuous Integration (CI)

View Slide

42
GitLab

View Slide

Harbor
43
https://goharbor.io/blog/harbor-2.0/

View Slide

44
Azure Defender for Cloud
https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-cicd

View Slide

45
Rancher Desktop
https://github.com/rancher-sandbox/rancher-desktop/releases/tag/v0.4.0

View Slide

46
https://blog.aquasec.com/container-image-scanning-docker-desktop-with-trivy
Docker Extensions (Docker Desktop)

View Slide

47
Key Takeaways

Top Technical Breach Causes
Dev
SCA

IaC Scanning

SAST/DAST

Fuzzing

Secrets Scanning

Trust your Code

from deploying
DevOps / DevSecOps

- Vulnerabilities

- Secrets

- Malware, etc.

Secure your Artifact Invest early, save later

View Slide

48
Hard-coded secrets scanning

• AWS Access Key ID / Secret Access Key

• GCP Service Account

• GitHub Personal Access Token

• Slack Access Token

• etc.

View Slide

49
Secret scanning
Enabled by default

$ trivy image [YOUR_IMAGE]

$ trivy fs [YOUR_PROJECT_DIR]

View Slide

50
Optimization
FROM debian:8
RUN apt-get update
COPY mysecret.txt /
ENTRYPOINT ["entrypoint.sh"]
CMD ["somecmd"]
Secret scanning is quite slow
No need to scan

View Slide

51
License classification

• Forbidden

• Restricted

• Reciprocal

• Notice

• Etc.
https://opensource.google/documentation/reference/thirdparty/licenses

View Slide

52
License scanning (compliance)
$ trivy image --security-checks license --severity UNKNOWN,HIGH,CRITICAL alpine:3.15
2022-07-13T17:28:39.526+0300 INFO License scanning is enabled
OS Packages (license)
=====================
Total: 6 (UNKNOWN: 0, HIGH: 6, CRITICAL: 0)
!"""""""""""""""""""#"""""""""#""""""""""""""""#""""""""""$
% Package % License % Classification % Severity %
&"""""""""""""""""""'"""""""""'""""""""""""""""'""""""""""(
% alpine-baselayout % GPL-2.0 % Restricted % HIGH %
&"""""""""""""""""""( % % %
% apk-tools % % % %
&"""""""""""""""""""( % % %
% busybox % % % %
&"""""""""""""""""""( % % %
% musl-utils % % % %
&"""""""""""""""""""( % % %
% scanelf % % % %
&"""""""""""""""""""( % % %
% ssl_client % % % %
)"""""""""""""""""""*"""""""""*""""""""""""""""*""""""""""+

View Slide

53
Extended license scanning
$ trivy image --security-checks license --severity UNKNOWN,HIGH,CRITICAL --license-full grafana/grafana
2022-07-13T17:48:40.905+0300 INFO Full license scanning is enabled
Loose File License(s) (license)
===============================
Total: 6 (UNKNOWN: 4, HIGH: 0, CRITICAL: 2)
!""""""""""""""""#""""""""""#""""""""""""""#""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""$
% Classification % Severity % License % File Location %
&""""""""""""""""'""""""""""'""""""""""""""'""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""(
% Forbidden % CRITICAL % AGPL-3.0 % /usr/share/grafana/LICENSE %
% % % % %
% % % % %
&""""""""""""""""'""""""""""'""""""""""""""'""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""(
% Non Standard % UNKNOWN % BSD-0-Clause % /usr/share/grafana/public/build/5069.d6aae9dd11d49c741a80.j- %
% % % % s.LICENSE.txt %
% % % &""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""(
% % % % /usr/share/grafana/public/build/6444.d6aae9dd11d49c741a80.j- %
% % % % s.LICENSE.txt %
)""""""""""""""""*""""""""""*""""""""""""""*""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""+
Scan license files and file headers (--license-full)

View Slide

54
Trivy covers more
Dev
SCA

IaC Scanning

SAST/DAST

Fuzzing

Secrets Scanning

Trust your Code

from deploying
DevOps / DevSecOps

- Vulnerabilities

- Secrets

- Malware, etc.

CSPM

KSPM

Security Operations
AV

EDR

IDS/IPS/WAF

 
Protection

native deployments
Handle Attack

View Slide

55
Kubernetes cluster scanning
# cluster scanning
$ trivy k8s --report summary cluster
# namespace scanning:
$ trivy k8s -n kube-system --report summary all
# resources scanning:
$ trivy k8s deployment/orion

View Slide

56
Summary Report

View Slide

57
Detailed Report

View Slide

58
Trivy covers more and more
Dev
SCA

IaC Scanning

SAST/DAST

Fuzzing

Secrets Scanning

Trust your Code

from deploying
DevOps / DevSecOps

- Vulnerabilities

- Secrets

- Malware, etc.

CSPM

KSPM

Security Operations
AV

EDR

IDS/IPS/WAF

 
Protection

native deployments
Handle Attack

View Slide

59
AWS scanning
$ trivy aws
Coming soon (v0.31.0)

View Slide

60

View Slide

61

View Slide

Advanced

View Slide

Software Bill of Materials (SBOM) generation
63
Support three formats

•CycloneDX (--format cyclonedx)

•SPDX (--format spdx, --format spdx-json)

•GitHub Dependency Snapshots (--format github)
$ trivy image --format cyclonedx [YOUR_IMAGE]
https://cyclonedx.org/

https://spdx.dev/

https://docs.github.com/en/rest/dependency-graph/dependency-submission

View Slide

SBOM scanning
64
$ trivy image --format cyclonedx --output alpine.cdx.json alpine:3.15
$ trivy sbom alpine.cdx.json
alpine.cdx.json (alpine 3.7.1)
==============================
Total: 3 (CRITICAL: 3)
!"""""""""""""#""""""""""""""""#""""""""""#"""""""""""""""""""#"""""""""""""""#""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""$
% Library % Vulnerability % Severity % Installed Version % Fixed Version % Title %
&"""""""""""""'""""""""""""""""'""""""""""'"""""""""""""""""""'"""""""""""""""'""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""(
% curl % CVE-2018-14618 % CRITICAL % 7.61.0-r0 % 7.61.1-r0 % curl: NTLM password overflow via integer overflow %
% % % % % % https://avd.aquasec.com/nvd/cve-2018-14618 %
&"""""""""""""'""""""""""""""""'""""""""""'"""""""""""""""""""'"""""""""""""""'""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""(
% libbz2 % CVE-2019-12900 % CRITICAL % 1.0.6-r6 % 1.0.6-r7 % bzip2: out-of-bounds write in function BZ2_decompress %
&"""""""""""""'""""""""""""""""'""""""""""'"""""""""""""""""""'"""""""""""""""'""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""(
% sqlite-libs % CVE-2019-8457 % CRITICAL % 3.21.0-r1 % 3.25.3-r1 % sqlite: heap out-of-bound read in function rtreenode() %
)"""""""""""""*""""""""""""""""*""""""""""*"""""""""""""""""""*"""""""""""""""*""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""+

View Slide

Attestation
65
•Authenticated metadata about a
set of software artifacts

•Provenance

•A container image with digest
"sha256:87f7fe…" from git commit
"f0c93d…"

•SBOM

•Formats

•In-toto attestation
{
"payloadType": "application/vnd.in-toto+json",
"payload":
"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1l
bnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwOi8vbXkuZ
XhhbXBsZS5jb20vYXV0aG9yIiwic3ViamVjdCI6W3sibmFtZS
I6ImluZGV4LmRvY2tlci5pby9vdG1zNjEvaGVsbG8tMSIsImR
pZ2VzdCI6eyJzaGEyNTYiOiIyMGQzZjY5M2RjZmZhNDRkNmIy
NGVhZTg4NzgzMzI0ZDI1Y2MxMzJjMjIwODlmNzBlNGZiZmI4N
Tg2MjViMDYyIn19XSwicHJlZGljYXRlIjp7ImF1dGhvciI6In
Nhc28ifX0=",
"signatures": [
{
"keyid": "",
"sig": "MEQC++c7F1czPr...CKdBdjq+If/g67Q=="
}
]
}
https://github.com/in-toto/attestation

View Slide

Trivy Operator
66
•Automated vulnerability scanning for
Kubernetes workloads.

•Automated configuration audits for
Kubernetes resources with predefined
rules or custom Open Policy Agent
(OPA) policies.

•Custom Resource Definitions and a Go
module to work with and integrate a
range of security scanners.

•The Lens Extension that make security
reports available through familiar
Kubernetes interfaces.

View Slide

Dependency

Origin Tree

(Node.js)
67

View Slide

trivy.yaml
68
$ cat << EOS > trivy.yaml
timeout: 20m
format: json
dependency-tree: true
list-all-pkgs: true
exit-code: 1
output: result.json
severity:
- HIGH
- CRITICAL
scan:
security-checks:
- vuln
- secret
vulnerability:
ignore-unfixed: true
EOS
$ trivy image YOUR_IMAGE

View Slide

69
Client/Server
Server
ᶃ Download vulnerability DB
Client
ᶄ Pull layers
Cache
ᶇ Store cache
ᶅ Analyze
ᶆ Send layer information
ᶈ Respond vulnerabilities
Container Registry

View Slide

70
Open Policy Agent (OPA) Integration
Rego
--ignore-policy
Detected

Vulnerabilities
OPA
Result
* EXPERIMENTAL feature
KubeCon Europe 2020

https://static.sched.com/hosted_files/kccnceu20/e5/2020%3A08%20KubeCon%20Europe%202020.pdf

View Slide

71
WebAssembly Module
* EXPERIMENTAL feature
$ trivy module install ghcr.io/
aquasecurity/trivy-module-spring4shell
$ trivy image ghcr.io/aquasecurity/
trivy-test-images:spring4shell-jre8
OCI Registries
Inspect Tomcat

Configuration...

View Slide

72
Audit Your Software Supply Chain for CIS Compliance
• The CIS Software Supply Chain Security Guide

• Aqua Security and the Center for Internet
Security (CIS) collaborated

• Provides more than 100 foundational
recommendations

• Support key emerging standards like
Supply-chain Levels for Software Artifacts
(SLSA) and The Update Framework (TUF).
https://github.com/aquasecurity/chain-bench

View Slide

73
Simplify Cloud Native Security with Trivy
Covered by
Dev
SCA

IaC Scanning

SAST/DAST

Fuzzing

Secrets Scanning

Trust your Code

from deploying
DevOps / DevSecOps

- Vulnerabilities

- Secrets

- Malware, etc.

CSPM

KSPM

Security Operations
AV

EDR

IDS/IPS/WAF

 
Protection

native deployments
Handle Attack

View Slide

Simplify Cloud Native Security with Trivy

Simplify Cloud Native Security with Trivy

Teppei Fukuda

More Decks by Teppei Fukuda

Other Decks in Technology

Featured

Transcript