Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Simplify Cloud Native Security with Trivy

Simplify Cloud Native Security with Trivy

Trivy is now one tool for all cloud native scanning needs including source code, repositories, images, artifact registries, Infrastructure as Code (IaC) templates and Kubernetes environments. With fewer tools to manage, developers, DevOps and DevSecOps now have a more efficient, simplified tool to ensure security of their cloud native applications. They can integrate security into their workflows without having to leave their continuous integration or continuous deployment (CI/CD) environments. By integrating more cloud native scanning targets into Trivy, such as Kubernetes, Trivy is simplifying cloud native security.

3f2e97dc4e6a5daaf1cb8a406c533176?s=128

Teppei Fukuda

August 05, 2022
Tweet

More Decks by Teppei Fukuda

Other Decks in Technology

Transcript

  1. © 2022 Aqua Security Software Ltd., All Rights Reserved Teppei

    Fukuda / August 5th, 2022 Simplify Cloud Native Security with Trivy CloudNative Security Conference 2022
  2. Teppei Fukuda Open Source Team, Aqua Security @knqyf263 @knqyf263 2

  3. 3 Overview of Cloud Native Security Where to start How

    Trivy helps Summary Agenda
  4. 4 App Infra Run Build Deploy Code CD Artifact registry

    Functions VMs Containers Cloud accounts Code (custom, 3rd party, OSS) Image IaC Git Orchestrator CI The Application Development Lifecycle
  5. 5 App Infra Run Build Deploy Code CD Artifact registry

    Functions VMs Containers Cloud accounts Code (custom, 3rd party, OSS) Image IaC Git Orchestrator CI Artifact Scanning Runtime
  6. 6 Cloud Native Application Protection Platforms (CNAPP) Dev Ops Sec

    Artifact Scanning Cloud Configuration Runtime Protection Gartner, Inc. Innovation Insight for Cloud-Native Application Protection Platforms SAST/DAST API scanning Secrets scanning Malware scanning Software Composition Analysis (SCA) Infrastructure as Code scanning Network Configuration and Security Policy Cloud Infrastructure Entitlements Mgmt Kubernetes Security Posture Management (KSPM) Cloud Security Posture Management (CSPM) Web Application and API Protection Application Monitoring Cloud Workload Protection Platform (CWPP) Network Segmentation Workload Vulnerability/Config
  7. 7 Dev Ops Sec Artifact Scanning Cloud Configuration Runtime Protection

    Gartner, Inc. Innovation Insight for Cloud-Native Application Protection Platforms Gitleaks gosec Open Source Security Tools
  8. 8 Dev Ops Sec Artifact Scanning Cloud Configuration Runtime Protection

    Gartner, Inc. Innovation Insight for Cloud-Native Application Protection Platforms Gitleaks gosec Open Source Security Tools Where to start…?
  9. 9 App Infra Run Build Deploy Code CD Artifact registry

    Functions VMs Containers Cloud accounts Code (custom, 3rd party, OSS) Image IaC Git Orchestrator CI Artifact Scanning Runtime
  10. 10 App Infra Run Build Deploy Code CD Artifact registry

    Functions VMs Containers Cloud accounts Code (custom, 3rd party, OSS) Image IaC Git Orchestrator CI Which stage to secure
  11. 11 Dev SCA IaC Scanning SAST/DAST Fuzzing Secrets Scanning Preventing

    security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying Scan cloud deployments for security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Network Configuration Workload Vulnerability/Config Harden your Deployment Security Operations AV EDR IDS/IPS/WAF Container / VMs / Server 
 Protection Visibility and protection for cloud native development Handle Attack
  12. 12 Dev SCA IaC Scanning SAST/DAST Fuzzing Secrets Scanning Preventing

    security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Build
  13. 13 Preventing vulnerable artifacts from deploying Scan cloud deployments for

    security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Workload Vulnerability/Config Harden your Deployment Dev SCA IaC Scanning SAST/DAST Fuzzing Secrets Scanning Preventing security from slowing down development Trust your Code Deploy
  14. 14 Dev SCA IaC Scanning SAST/DAST Fuzzing Secrets Scanning Preventing

    security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying Scan cloud deployments for security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Workload Vulnerability/Config Harden your Deployment Security Operations AV EDR IDS/IPS/WAF Container / VMs / Server 
 Protection Visibility and protection for cloud native deployments Handle Attack Attack Prevent Detect Block
  15. 15 Dev SCA IaC Scanning SAST/DAST Fuzzing Secrets Scanning Preventing

    security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying Scan cloud deployments for security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Workload Vulnerability/Config Harden your Deployment Security Operations AV EDR IDS/IPS/WAF Container / VMs / Server 
 Protection Visibility and protection for cloud native deployments Handle Attack Attack Deploy Build
  16. 16 Shifting Left High Low Priority Dev SCA IaC Scanning

    SAST/DAST Fuzzing Secrets Scanning Preventing security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying Scan cloud deployments for security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Workload Vulnerability/Config Harden your Deployment Security Operations AV EDR IDS/IPS/WAF Container / VMs / Server 
 Protection Visibility and protection for cloud native deployments Handle Attack
  17. 17 Why shifting security left matters https://cloud.google.com/blog/products/identity-security/shift-left-on-google-cloud-security-invest-now-save-later

  18. 18 Invest early, save later Dev SCA IaC Scanning SAST/DAST

    Fuzzing Secrets Scanning Preventing security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying Scan cloud deployments for security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Workload Vulnerability/Config Harden your Deployment Security Operations AV EDR IDS/IPS/WAF Container / VMs / Server 
 Protection Visibility and protection for cloud native deployments Handle Attack Still too much
  19. 19 https://www.darkreading.com/vulnerabilities---threats/missing-patches-misconfiguration-top-technical-breach-causes/d/d-id/1337410

  20. Number of known vulnerabilities 20 •Log4Shell •Spring4Shell •ProxyShell •ProxyLogon •ZeroLogon

  21. 21 https://www.trendmicro.com/vinfo/pl/security/news/virtualization-and-cloud/data-on-123-million-us-households-exposed-due-to-misconfigured-aws-s3-bucket https://www.darkreading.com/attacks-breaches/misconfigured-elasticsearch-instance-exposes-more-than-5-billion-records/d/d-id/1337368 https://www.computerweekly.com/news/252435544/Unprotected-Kubernetes-consoles-expose-firms-to-cryptojacking Misconfiguration-Caused Breach

  22. 22 Start with Patch & Misconfiguration Scanning Dev SCA IaC

    Scanning SAST/DAST Fuzzing Secrets Scanning Preventing security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying Scan cloud deployments for security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Workload Vulnerability/Config Harden your Deployment Security Operations AV EDR IDS/IPS/WAF Container / VMs / Server 
 Protection Visibility and protection for cloud native deployments Handle Attack
  23. 23 What's Trivy? The Swiss Army Knife for Security Scanning

    • Started as a vulnerability scanner for container images • Joined Aqua Security in 2019 https://github.com/aquasecurity/trivy
  24. 24 Highlights Comprehensive Security Issues Easy Setup High Accuracy

  25. 25 Vulnerability Scanning • Alpine Linux • Debian • Python

    • Go • Java • etc.
  26. 26 Scan filesystem for vulnerabilities $ trivy fs [YOUR_PROJECT_DIR]

  27. $ trivy fs ./myproject Pipfile.lock ============ Total: 9 (UNKNOWN: 1,

    LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0) +---------------------+------------------+----------+-------------------+------------------------+------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +---------------------+------------------+----------+-------------------+------------------------+------------------------------------+ | django | CVE-2020-7471 | HIGH | 2.0.9 | 3.0.3, 2.2.10, 1.11.28 | django: potential | | | | | | | SQL injection via | | | | | | | StringAgg(delimiter) | + +------------------+----------+ +------------------------+------------------------------------+ | | CVE-2019-19844 | MEDIUM | | 3.0.1, 2.2.9, 1.11.27 | Django: crafted email address | | | | | | | allows account takeover | +---------------------+------------------+----------+-------------------+------------------------+------------------------------------+ 27 Scan your project including a lock file with "filesystem" or "fs" subcommand Scan filesystem for vulnerabilities
  28. 28 Scan git repository $ trivy repo [REPOSITORY_URL] e.g. $

    trivy repo github.com/aquasecurity/tracee
  29. 29 Infrastructure as Code (IaC) scanning • Terraform • CloudFormation

    • Kubernetes • Helm chart • Dockerfile
  30. 30 Misconfiguration scanning $ trivy fs --security-checks config [YOUR_PROJECT_DIR]

  31. 31 Misconfiguration scanning

  32. 32 Helm chart scanning Demo

  33. 33 Custom policies package user.kubernetes.ID001 import lib.result __rego_metadata__ := {

    "id": "ID001", "title": "Deployment not allowed", "severity": "LOW", "description": "Deployments are not allowed because of some reasons.", } __rego_input__ := { "selector": [ {"type": "kubernetes"}, ], } deny[res] { input.kind == "Deployment" msg := sprintf("Found deployment '%s' but deployments are not allowed", [input.metadata.name]) res := result.new(msg, input) } OPA/Rego
  34. 34 Dev SCA IaC Scanning SAST/DAST Fuzzing Secrets Scanning Preventing

    security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying Scan cloud deployments for security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Workload Vulnerability/Config Harden your Deployment Security Operations AV EDR IDS/IPS/WAF Container / VMs / Server 
 Protection Visibility and protection for cloud native deployments Handle Attack Build Developer Security
  35. 35 Visual Studio Code and JetBrains https://marketplace.visualstudio.com/items?itemName=AquaSecurityOfficial.trivy-vulnerability-scanner

  36. 36 Scan container images for vulnerabilities Dev SCA IaC Scanning

    SAST/DAST Fuzzing Secrets Scanning Preventing security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying Scan cloud deployments for security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Workload Vulnerability/Config Harden your Deployment Security Operations AV EDR IDS/IPS/WAF Container / VMs / Server 
 Protection Visibility and protection for cloud native deployments Handle Attack
  37. 37 Container image scanning $ trivy image [YOUR_IMAGE_NAME]

  38. 38 Example $ trivy image alpine:3.10.7 2021-07-13T18:16:52.490+0300 INFO Detected OS:

    alpine 2021-07-13T18:16:52.490+0300 INFO Detecting Alpine vulnerabilities... alpine:3.10.7 (alpine 3.10.7) ============================= Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0) +------------+------------------+----------+-------------------+---------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +------------+------------------+----------+-------------------+---------------+---------------------------------------+ | apk-tools | CVE-2021-30139 | HIGH | 2.10.4-r2 | 2.10.6-r0 | In Alpine Linux apk-tools | | | | | | | before 2.12.5, the tarball | | | | | | | parser allows a buffer... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-30139 | +------------+------------------+ +-------------------+---------------+---------------------------------------+ | busybox | CVE-2021-28831 | | 1.30.1-r4 | 1.30.1-r5 | busybox: invalid free or segmentation | | | | | | | fault via malformed gzip data | | | | | | | -->avd.aquasec.com/nvd/cve-2021-28831 | +------------+------------------+----------+-------------------+---------------+---------------------------------------+
  39. 39 • OS packages • Debian / Ubuntu • Red

    Hat Enterprise Linux / CentOS • Alpine Linux • Amazon Linux • Oracle Linux • openSUSE / SUSE Enterprise Linux • Photon OS • Google Distroless • AlmaLinux / Rocky Linux • CBL-Mariner • Language-specific packages • Ruby • PHP • Python • JavaScript / Node.js • Rust • Java • Go • .NET Detect comprehensive vulnerabilities
  40. Integrations

  41. 41 Continuous Integration (CI)

  42. 42 GitLab

  43. Harbor 43 https://goharbor.io/blog/harbor-2.0/

  44. 44 Azure Defender for Cloud https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-cicd

  45. 45 Rancher Desktop https://github.com/rancher-sandbox/rancher-desktop/releases/tag/v0.4.0

  46. 46 https://blog.aquasec.com/container-image-scanning-docker-desktop-with-trivy Docker Extensions (Docker Desktop)

  47. 47 Key Takeaways Top Technical Breach Causes Dev SCA IaC

    Scanning SAST/DAST Fuzzing Secrets Scanning Preventing security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Invest early, save later
  48. 48 Hard-coded secrets scanning • AWS Access Key ID /

    Secret Access Key • GCP Service Account • GitHub Personal Access Token • Slack Access Token • etc.
  49. 49 Secret scanning Enabled by default $ trivy image [YOUR_IMAGE]

    $ trivy fs [YOUR_PROJECT_DIR]
  50. 50 Optimization FROM debian:8 RUN apt-get update COPY mysecret.txt /

    ENTRYPOINT ["entrypoint.sh"] CMD ["somecmd"] Secret scanning is quite slow No need to scan
  51. 51 License classification • Forbidden • Restricted • Reciprocal •

    Notice • Etc. https://opensource.google/documentation/reference/thirdparty/licenses
  52. 52 License scanning (compliance) $ trivy image --security-checks license --severity

    UNKNOWN,HIGH,CRITICAL alpine:3.15 2022-07-13T17:28:39.526+0300 INFO License scanning is enabled OS Packages (license) ===================== Total: 6 (UNKNOWN: 0, HIGH: 6, CRITICAL: 0) !"""""""""""""""""""#"""""""""#""""""""""""""""#""""""""""$ % Package % License % Classification % Severity % &"""""""""""""""""""'"""""""""'""""""""""""""""'""""""""""( % alpine-baselayout % GPL-2.0 % Restricted % HIGH % &"""""""""""""""""""( % % % % apk-tools % % % % &"""""""""""""""""""( % % % % busybox % % % % &"""""""""""""""""""( % % % % musl-utils % % % % &"""""""""""""""""""( % % % % scanelf % % % % &"""""""""""""""""""( % % % % ssl_client % % % % )"""""""""""""""""""*"""""""""*""""""""""""""""*""""""""""+
  53. 53 Extended license scanning $ trivy image --security-checks license --severity

    UNKNOWN,HIGH,CRITICAL --license-full grafana/grafana 2022-07-13T17:48:40.905+0300 INFO Full license scanning is enabled Loose File License(s) (license) =============================== Total: 6 (UNKNOWN: 4, HIGH: 0, CRITICAL: 2) !""""""""""""""""#""""""""""#""""""""""""""#""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""$ % Classification % Severity % License % File Location % &""""""""""""""""'""""""""""'""""""""""""""'""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""( % Forbidden % CRITICAL % AGPL-3.0 % /usr/share/grafana/LICENSE % % % % % % % % % % % &""""""""""""""""'""""""""""'""""""""""""""'""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""( % Non Standard % UNKNOWN % BSD-0-Clause % /usr/share/grafana/public/build/5069.d6aae9dd11d49c741a80.j- % % % % % s.LICENSE.txt % % % % &""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""( % % % % /usr/share/grafana/public/build/6444.d6aae9dd11d49c741a80.j- % % % % % s.LICENSE.txt % )""""""""""""""""*""""""""""*""""""""""""""*""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""+ Scan license files and file headers (--license-full)
  54. 54 Trivy covers more Dev SCA IaC Scanning SAST/DAST Fuzzing

    Secrets Scanning Preventing security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying Scan cloud deployments for security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Workload Vulnerability/Config Harden your Deployment Security Operations AV EDR IDS/IPS/WAF Container / VMs / Server 
 Protection Visibility and protection for cloud native deployments Handle Attack
  55. 55 Kubernetes cluster scanning # cluster scanning $ trivy k8s

    --report summary cluster # namespace scanning: $ trivy k8s -n kube-system --report summary all # resources scanning: $ trivy k8s deployment/orion
  56. 56 Summary Report

  57. 57 Detailed Report

  58. 58 Trivy covers more and more Dev SCA IaC Scanning

    SAST/DAST Fuzzing Secrets Scanning Preventing security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying Scan cloud deployments for security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Workload Vulnerability/Config Harden your Deployment Security Operations AV EDR IDS/IPS/WAF Container / VMs / Server 
 Protection Visibility and protection for cloud native deployments Handle Attack
  59. 59 AWS scanning $ trivy aws Coming soon (v0.31.0)

  60. 60

  61. 61

  62. Advanced

  63. Software Bill of Materials (SBOM) generation 63 Support three formats

    •CycloneDX (--format cyclonedx) •SPDX (--format spdx, --format spdx-json) •GitHub Dependency Snapshots (--format github) $ trivy image --format cyclonedx [YOUR_IMAGE] https://cyclonedx.org/ https://spdx.dev/ https://docs.github.com/en/rest/dependency-graph/dependency-submission
  64. SBOM scanning 64 $ trivy image --format cyclonedx --output alpine.cdx.json

    alpine:3.15 $ trivy sbom alpine.cdx.json alpine.cdx.json (alpine 3.7.1) ============================== Total: 3 (CRITICAL: 3) !"""""""""""""#""""""""""""""""#""""""""""#"""""""""""""""""""#"""""""""""""""#""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""$ % Library % Vulnerability % Severity % Installed Version % Fixed Version % Title % &"""""""""""""'""""""""""""""""'""""""""""'"""""""""""""""""""'"""""""""""""""'""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""( % curl % CVE-2018-14618 % CRITICAL % 7.61.0-r0 % 7.61.1-r0 % curl: NTLM password overflow via integer overflow % % % % % % % https://avd.aquasec.com/nvd/cve-2018-14618 % &"""""""""""""'""""""""""""""""'""""""""""'"""""""""""""""""""'"""""""""""""""'""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""( % libbz2 % CVE-2019-12900 % CRITICAL % 1.0.6-r6 % 1.0.6-r7 % bzip2: out-of-bounds write in function BZ2_decompress % % % % % % % https://avd.aquasec.com/nvd/cve-2019-12900 % &"""""""""""""'""""""""""""""""'""""""""""'"""""""""""""""""""'"""""""""""""""'""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""( % sqlite-libs % CVE-2019-8457 % CRITICAL % 3.21.0-r1 % 3.25.3-r1 % sqlite: heap out-of-bound read in function rtreenode() % % % % % % % https://avd.aquasec.com/nvd/cve-2019-8457 % )"""""""""""""*""""""""""""""""*""""""""""*"""""""""""""""""""*"""""""""""""""*""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""+
  65. Attestation 65 •Authenticated metadata about a set of software artifacts

    •Provenance •A container image with digest "sha256:87f7fe…" from git commit "f0c93d…" •SBOM •Formats •In-toto attestation { "payloadType": "application/vnd.in-toto+json", "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1l bnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwOi8vbXkuZ XhhbXBsZS5jb20vYXV0aG9yIiwic3ViamVjdCI6W3sibmFtZS I6ImluZGV4LmRvY2tlci5pby9vdG1zNjEvaGVsbG8tMSIsImR pZ2VzdCI6eyJzaGEyNTYiOiIyMGQzZjY5M2RjZmZhNDRkNmIy NGVhZTg4NzgzMzI0ZDI1Y2MxMzJjMjIwODlmNzBlNGZiZmI4N Tg2MjViMDYyIn19XSwicHJlZGljYXRlIjp7ImF1dGhvciI6In Nhc28ifX0=", "signatures": [ { "keyid": "", "sig": "MEQC++c7F1czPr...CKdBdjq+If/g67Q==" } ] } https://github.com/in-toto/attestation
  66. Trivy Operator 66 •Automated vulnerability scanning for Kubernetes workloads. •Automated

    configuration audits for Kubernetes resources with predefined rules or custom Open Policy Agent (OPA) policies. •Custom Resource Definitions and a Go module to work with and integrate a range of security scanners. •The Lens Extension that make security reports available through familiar Kubernetes interfaces.
  67. Dependency Origin Tree (Node.js) 67

  68. trivy.yaml 68 $ cat << EOS > trivy.yaml timeout: 20m

    format: json dependency-tree: true list-all-pkgs: true exit-code: 1 output: result.json severity: - HIGH - CRITICAL scan: security-checks: - vuln - secret vulnerability: ignore-unfixed: true EOS $ trivy image YOUR_IMAGE
  69. 69 Client/Server Server ᶃ Download vulnerability DB Client ᶄ Pull

    layers Cache ᶇ Store cache ᶅ Analyze ᶆ Send layer information ᶈ Respond vulnerabilities Container Registry
  70. 70 Open Policy Agent (OPA) Integration Rego --ignore-policy Detected Vulnerabilities

    OPA Result * EXPERIMENTAL feature KubeCon Europe 2020 https://static.sched.com/hosted_files/kccnceu20/e5/2020%3A08%20KubeCon%20Europe%202020.pdf
  71. 71 WebAssembly Module * EXPERIMENTAL feature $ trivy module install

    ghcr.io/ aquasecurity/trivy-module-spring4shell $ trivy image ghcr.io/aquasecurity/ trivy-test-images:spring4shell-jre8 OCI Registries Inspect Tomcat Configuration...
  72. 72 Audit Your Software Supply Chain for CIS Compliance •

    The CIS Software Supply Chain Security Guide • Aqua Security and the Center for Internet Security (CIS) collaborated • Provides more than 100 foundational recommendations • Support key emerging standards like Supply-chain Levels for Software Artifacts (SLSA) and The Update Framework (TUF). https://github.com/aquasecurity/chain-bench
  73. 73 Simplify Cloud Native Security with Trivy Covered by Dev

    SCA IaC Scanning SAST/DAST Fuzzing Secrets Scanning Preventing security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying Scan cloud deployments for security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Workload Vulnerability/Config Harden your Deployment Security Operations AV EDR IDS/IPS/WAF Container / VMs / Server 
 Protection Visibility and protection for cloud native deployments Handle Attack
  74. © 2022 Aqua Security Software Ltd., All Rights Reserved Thanks