Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Simplify Cloud Native Security with Trivy

Simplify Cloud Native Security with Trivy

Trivy is now one tool for all cloud native scanning needs including source code, repositories, images, artifact registries, Infrastructure as Code (IaC) templates and Kubernetes environments. With fewer tools to manage, developers, DevOps and DevSecOps now have a more efficient, simplified tool to ensure security of their cloud native applications. They can integrate security into their workflows without having to leave their continuous integration or continuous deployment (CI/CD) environments. By integrating more cloud native scanning targets into Trivy, such as Kubernetes, Trivy is simplifying cloud native security.

Teppei Fukuda

August 05, 2022
Tweet

More Decks by Teppei Fukuda

Other Decks in Technology

Transcript

  1. © 2022 Aqua Security Software Ltd., All Rights Reserved
    Teppei Fukuda / August 5th, 2022
    Simplify Cloud Native Security with Trivy


    CloudNative Security Conference 2022

    View full-size slide

  2. Teppei Fukuda
    Open Source Team, Aqua Security
    @knqyf263
    @knqyf263
    2

    View full-size slide

  3. 3
    Overview of Cloud Native Security


    Where to start


    How Trivy helps


    Summary
    Agenda

    View full-size slide

  4. 4
    App
    Infra
    Run
    Build Deploy
    Code
    CD
    Artifact registry
    Functions
    VMs
    Containers
    Cloud accounts
    Code (custom, 3rd party,
    OSS)
    Image
    IaC
    Git Orchestrator
    CI
    The Application Development Lifecycle

    View full-size slide

  5. 5
    App
    Infra
    Run
    Build Deploy
    Code
    CD
    Artifact registry
    Functions
    VMs
    Containers
    Cloud accounts
    Code (custom, 3rd party,
    OSS)
    Image
    IaC
    Git Orchestrator
    CI
    Artifact Scanning Runtime


    View full-size slide

  6. 6
    Cloud Native Application Protection Platforms (CNAPP)
    Dev Ops
    Sec
    Artifact Scanning
    Cloud Configuration
    Runtime Protection
    Gartner, Inc.


    Innovation Insight for Cloud-Native Application Protection Platforms
    SAST/DAST


    API scanning


    Secrets scanning


    Malware scanning


    Software Composition Analysis (SCA)
    Infrastructure as Code scanning


    Network Configuration and Security Policy


    Cloud Infrastructure Entitlements Mgmt


    Kubernetes Security Posture Management (KSPM)


    Cloud Security Posture Management (CSPM)
    Web Application and API Protection


    Application Monitoring


    Cloud Workload Protection Platform (CWPP)


    Network Segmentation


    Workload Vulnerability/Config

    View full-size slide

  7. 7
    Dev Ops
    Sec
    Artifact Scanning
    Cloud Configuration
    Runtime Protection
    Gartner, Inc.


    Innovation Insight for Cloud-Native Application Protection Platforms
    Gitleaks gosec
    Open Source Security Tools

    View full-size slide

  8. 8
    Dev Ops
    Sec
    Artifact Scanning
    Cloud Configuration
    Runtime Protection
    Gartner, Inc.


    Innovation Insight for Cloud-Native Application Protection Platforms
    Gitleaks gosec
    Open Source Security Tools
    Where to start…?

    View full-size slide

  9. 9
    App
    Infra
    Run
    Build Deploy
    Code
    CD
    Artifact registry
    Functions
    VMs
    Containers
    Cloud accounts
    Code (custom, 3rd party,
    OSS)
    Image
    IaC
    Git Orchestrator
    CI
    Artifact Scanning Runtime


    View full-size slide

  10. 10
    App
    Infra
    Run
    Build Deploy
    Code
    CD
    Artifact registry
    Functions
    VMs
    Containers
    Cloud accounts
    Code (custom, 3rd party,
    OSS)
    Image
    IaC
    Git Orchestrator
    CI
    Which stage to secure

    View full-size slide

  11. 11
    Dev
    SCA


    IaC Scanning


    SAST/DAST


    Fuzzing


    Secrets Scanning
    Preventing security from


    slowing down development
    Trust your Code
    Preventing vulnerable artifacts


    from deploying
    Scan cloud deployments for security
    issues like misconfigurations
    DevOps / DevSecOps
    Container Image Scanning


    - Vulnerabilities


    - Secrets


    - Malware, etc.


    Supply Chain Security
    Secure your Artifact
    Infrastructure / Cloud / Security
    CSPM


    KSPM


    Network Configuration


    Workload Vulnerability/Config
    Harden your Deployment
    Security Operations
    AV


    EDR


    IDS/IPS/WAF


    Container / VMs / Server

    Protection
    Visibility and protection for cloud


    native development
    Handle Attack

    View full-size slide

  12. 12
    Dev
    SCA


    IaC Scanning


    SAST/DAST


    Fuzzing


    Secrets Scanning
    Preventing security from


    slowing down development
    Trust your Code
    Preventing vulnerable artifacts


    from deploying
    DevOps / DevSecOps
    Container Image Scanning


    - Vulnerabilities


    - Secrets


    - Malware, etc.


    Supply Chain Security
    Secure your Artifact
    Build

    View full-size slide

  13. 13
    Preventing vulnerable artifacts


    from deploying
    Scan cloud deployments for security
    issues like misconfigurations
    DevOps / DevSecOps
    Container Image Scanning


    - Vulnerabilities


    - Secrets


    - Malware, etc.


    Supply Chain Security
    Secure your Artifact
    Infrastructure / Cloud / Security
    CSPM


    KSPM


    Workload Vulnerability/Config
    Harden your Deployment
    Dev
    SCA


    IaC Scanning


    SAST/DAST


    Fuzzing


    Secrets Scanning
    Preventing security from


    slowing down development
    Trust your Code
    Deploy

    View full-size slide

  14. 14
    Dev
    SCA


    IaC Scanning


    SAST/DAST


    Fuzzing


    Secrets Scanning
    Preventing security from


    slowing down development
    Trust your Code
    Preventing vulnerable artifacts


    from deploying
    Scan cloud deployments for security
    issues like misconfigurations
    DevOps / DevSecOps
    Container Image Scanning


    - Vulnerabilities


    - Secrets


    - Malware, etc.


    Supply Chain Security
    Secure your Artifact
    Infrastructure / Cloud / Security
    CSPM


    KSPM


    Workload Vulnerability/Config
    Harden your Deployment
    Security Operations
    AV


    EDR


    IDS/IPS/WAF


    Container / VMs / Server

    Protection
    Visibility and protection for cloud


    native deployments
    Handle Attack
    Attack
    Prevent
    Detect


    Block

    View full-size slide

  15. 15
    Dev
    SCA


    IaC Scanning


    SAST/DAST


    Fuzzing


    Secrets Scanning
    Preventing security from


    slowing down development
    Trust your Code
    Preventing vulnerable artifacts


    from deploying
    Scan cloud deployments for security
    issues like misconfigurations
    DevOps / DevSecOps
    Container Image Scanning


    - Vulnerabilities


    - Secrets


    - Malware, etc.


    Supply Chain Security
    Secure your Artifact
    Infrastructure / Cloud / Security
    CSPM


    KSPM


    Workload Vulnerability/Config
    Harden your Deployment
    Security Operations
    AV


    EDR


    IDS/IPS/WAF


    Container / VMs / Server

    Protection
    Visibility and protection for cloud


    native deployments
    Handle Attack
    Attack
    Deploy
    Build

    View full-size slide

  16. 16
    Shifting Left
    High Low
    Priority
    Dev
    SCA


    IaC Scanning


    SAST/DAST


    Fuzzing


    Secrets Scanning
    Preventing security from


    slowing down development
    Trust your Code
    Preventing vulnerable artifacts


    from deploying
    Scan cloud deployments for security
    issues like misconfigurations
    DevOps / DevSecOps
    Container Image Scanning


    - Vulnerabilities


    - Secrets


    - Malware, etc.


    Supply Chain Security
    Secure your Artifact
    Infrastructure / Cloud / Security
    CSPM


    KSPM


    Workload Vulnerability/Config
    Harden your Deployment
    Security Operations
    AV


    EDR


    IDS/IPS/WAF


    Container / VMs / Server

    Protection
    Visibility and protection for cloud


    native deployments
    Handle Attack

    View full-size slide

  17. 17
    Why shifting security left matters
    https://cloud.google.com/blog/products/identity-security/shift-left-on-google-cloud-security-invest-now-save-later

    View full-size slide

  18. 18
    Invest early, save later
    Dev
    SCA


    IaC Scanning


    SAST/DAST


    Fuzzing


    Secrets Scanning
    Preventing security from


    slowing down development
    Trust your Code
    Preventing vulnerable artifacts


    from deploying
    Scan cloud deployments for security
    issues like misconfigurations
    DevOps / DevSecOps
    Container Image Scanning


    - Vulnerabilities


    - Secrets


    - Malware, etc.


    Supply Chain Security
    Secure your Artifact
    Infrastructure / Cloud / Security
    CSPM


    KSPM


    Workload Vulnerability/Config
    Harden your Deployment
    Security Operations
    AV


    EDR


    IDS/IPS/WAF


    Container / VMs / Server

    Protection
    Visibility and protection for cloud


    native deployments
    Handle Attack
    Still too much

    View full-size slide

  19. 19
    https://www.darkreading.com/vulnerabilities---threats/missing-patches-misconfiguration-top-technical-breach-causes/d/d-id/1337410

    View full-size slide

  20. Number of known vulnerabilities
    20
    •Log4Shell


    •Spring4Shell


    •ProxyShell


    •ProxyLogon


    •ZeroLogon

    View full-size slide

  21. 21
    https://www.trendmicro.com/vinfo/pl/security/news/virtualization-and-cloud/data-on-123-million-us-households-exposed-due-to-misconfigured-aws-s3-bucket
    https://www.darkreading.com/attacks-breaches/misconfigured-elasticsearch-instance-exposes-more-than-5-billion-records/d/d-id/1337368
    https://www.computerweekly.com/news/252435544/Unprotected-Kubernetes-consoles-expose-firms-to-cryptojacking
    Misconfiguration-Caused Breach

    View full-size slide

  22. 22
    Start with Patch & Misconfiguration Scanning
    Dev
    SCA


    IaC Scanning


    SAST/DAST


    Fuzzing


    Secrets Scanning
    Preventing security from


    slowing down development
    Trust your Code
    Preventing vulnerable artifacts


    from deploying
    Scan cloud deployments for security
    issues like misconfigurations
    DevOps / DevSecOps
    Container Image Scanning


    - Vulnerabilities


    - Secrets


    - Malware, etc.


    Supply Chain Security
    Secure your Artifact
    Infrastructure / Cloud / Security
    CSPM


    KSPM


    Workload Vulnerability/Config
    Harden your Deployment
    Security Operations
    AV


    EDR


    IDS/IPS/WAF


    Container / VMs / Server

    Protection
    Visibility and protection for cloud


    native deployments
    Handle Attack

    View full-size slide

  23. 23
    What's Trivy?
    The Swiss Army Knife for Security Scanning
    • Started as a vulnerability scanner for container images


    • Joined Aqua Security in 2019
    https://github.com/aquasecurity/trivy

    View full-size slide

  24. 24
    Highlights
    Comprehensive


    Security


    Issues
    Easy Setup
    High Accuracy

    View full-size slide

  25. 25
    Vulnerability Scanning


    • Alpine Linux


    • Debian


    • Python


    • Go


    • Java


    • etc.

    View full-size slide

  26. 26
    Scan filesystem for vulnerabilities
    $ trivy fs [YOUR_PROJECT_DIR]

    View full-size slide

  27. $ trivy fs ./myproject
    Pipfile.lock
    ============
    Total: 9 (UNKNOWN: 1, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)
    +---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
    | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
    +---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
    | django | CVE-2020-7471 | HIGH | 2.0.9 | 3.0.3, 2.2.10, 1.11.28 | django: potential |
    | | | | | | SQL injection via |
    | | | | | | StringAgg(delimiter) |
    + +------------------+----------+ +------------------------+------------------------------------+
    | | CVE-2019-19844 | MEDIUM | | 3.0.1, 2.2.9, 1.11.27 | Django: crafted email address |
    | | | | | | allows account takeover |
    +---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
    27
    Scan your project including a lock file with "filesystem" or "fs" subcommand
    Scan filesystem for vulnerabilities

    View full-size slide

  28. 28
    Scan git repository
    $ trivy repo [REPOSITORY_URL]
    e.g.


    $ trivy repo github.com/aquasecurity/tracee

    View full-size slide

  29. 29
    Infrastructure as Code (IaC) scanning


    • Terraform


    • CloudFormation


    • Kubernetes


    • Helm chart


    • Dockerfile

    View full-size slide

  30. 30
    Misconfiguration scanning
    $ trivy fs --security-checks config [YOUR_PROJECT_DIR]

    View full-size slide

  31. 31
    Misconfiguration scanning

    View full-size slide

  32. 32
    Helm chart scanning
    Demo

    View full-size slide

  33. 33
    Custom policies
    package user.kubernetes.ID001
    import lib.result
    __rego_metadata__ := {
    "id": "ID001",
    "title": "Deployment not allowed",
    "severity": "LOW",
    "description": "Deployments are not allowed because of some reasons.",
    }
    __rego_input__ := {
    "selector": [
    {"type": "kubernetes"},
    ],
    }
    deny[res] {
    input.kind == "Deployment"
    msg := sprintf("Found deployment '%s' but deployments are not
    allowed", [input.metadata.name])
    res := result.new(msg, input)
    }
    OPA/Rego

    View full-size slide

  34. 34
    Dev
    SCA


    IaC Scanning


    SAST/DAST


    Fuzzing


    Secrets Scanning
    Preventing security from


    slowing down development
    Trust your Code
    Preventing vulnerable artifacts


    from deploying
    Scan cloud deployments for security
    issues like misconfigurations
    DevOps / DevSecOps
    Container Image Scanning


    - Vulnerabilities


    - Secrets


    - Malware, etc.


    Supply Chain Security
    Secure your Artifact
    Infrastructure / Cloud / Security
    CSPM


    KSPM


    Workload Vulnerability/Config
    Harden your Deployment
    Security Operations
    AV


    EDR


    IDS/IPS/WAF


    Container / VMs / Server

    Protection
    Visibility and protection for cloud


    native deployments
    Handle Attack
    Build
    Developer Security

    View full-size slide

  35. 35
    Visual Studio Code and JetBrains
    https://marketplace.visualstudio.com/items?itemName=AquaSecurityOfficial.trivy-vulnerability-scanner

    View full-size slide

  36. 36
    Scan container images for vulnerabilities
    Dev
    SCA


    IaC Scanning


    SAST/DAST


    Fuzzing


    Secrets Scanning
    Preventing security from


    slowing down development
    Trust your Code
    Preventing vulnerable artifacts


    from deploying
    Scan cloud deployments for security
    issues like misconfigurations
    DevOps / DevSecOps
    Container Image Scanning


    - Vulnerabilities


    - Secrets


    - Malware, etc.


    Supply Chain Security
    Secure your Artifact
    Infrastructure / Cloud / Security
    CSPM


    KSPM


    Workload Vulnerability/Config
    Harden your Deployment
    Security Operations
    AV


    EDR


    IDS/IPS/WAF


    Container / VMs / Server

    Protection
    Visibility and protection for cloud


    native deployments
    Handle Attack

    View full-size slide

  37. 37
    Container image scanning
    $ trivy image [YOUR_IMAGE_NAME]

    View full-size slide

  38. 38
    Example
    $ trivy image alpine:3.10.7
    2021-07-13T18:16:52.490+0300 INFO Detected OS: alpine
    2021-07-13T18:16:52.490+0300 INFO Detecting Alpine vulnerabilities...
    alpine:3.10.7 (alpine 3.10.7)
    =============================
    Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)
    +------------+------------------+----------+-------------------+---------------+---------------------------------------+
    | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
    +------------+------------------+----------+-------------------+---------------+---------------------------------------+
    | apk-tools | CVE-2021-30139 | HIGH | 2.10.4-r2 | 2.10.6-r0 | In Alpine Linux apk-tools |
    | | | | | | before 2.12.5, the tarball |
    | | | | | | parser allows a buffer... |
    | | | | | | -->avd.aquasec.com/nvd/cve-2021-30139 |
    +------------+------------------+ +-------------------+---------------+---------------------------------------+
    | busybox | CVE-2021-28831 | | 1.30.1-r4 | 1.30.1-r5 | busybox: invalid free or segmentation |
    | | | | | | fault via malformed gzip data |
    | | | | | | -->avd.aquasec.com/nvd/cve-2021-28831 |
    +------------+------------------+----------+-------------------+---------------+---------------------------------------+

    View full-size slide

  39. 39
    • OS packages


    • Debian / Ubuntu


    • Red Hat Enterprise Linux / CentOS


    • Alpine Linux


    • Amazon Linux


    • Oracle Linux


    • openSUSE / SUSE Enterprise Linux


    • Photon OS


    • Google Distroless


    • AlmaLinux / Rocky Linux


    • CBL-Mariner
    • Language-specific packages


    • Ruby


    • PHP


    • Python


    • JavaScript / Node.js


    • Rust


    • Java


    • Go


    • .NET
    Detect comprehensive vulnerabilities

    View full-size slide

  40. Integrations

    View full-size slide

  41. 41
    Continuous Integration (CI)

    View full-size slide

  42. Harbor
    43
    https://goharbor.io/blog/harbor-2.0/

    View full-size slide

  43. 44
    Azure Defender for Cloud
    https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-cicd

    View full-size slide

  44. 45
    Rancher Desktop
    https://github.com/rancher-sandbox/rancher-desktop/releases/tag/v0.4.0

    View full-size slide

  45. 46
    https://blog.aquasec.com/container-image-scanning-docker-desktop-with-trivy
    Docker Extensions (Docker Desktop)

    View full-size slide

  46. 47
    Key Takeaways


    Top Technical Breach Causes
    Dev
    SCA


    IaC Scanning


    SAST/DAST


    Fuzzing


    Secrets Scanning
    Preventing security from


    slowing down development
    Trust your Code
    Preventing vulnerable artifacts


    from deploying
    DevOps / DevSecOps
    Container Image Scanning


    - Vulnerabilities


    - Secrets


    - Malware, etc.


    Supply Chain Security
    Secure your Artifact Invest early, save later

    View full-size slide

  47. 48
    Hard-coded secrets scanning


    • AWS Access Key ID / Secret Access Key


    • GCP Service Account


    • GitHub Personal Access Token


    • Slack Access Token


    • etc.

    View full-size slide

  48. 49
    Secret scanning
    Enabled by default


    $ trivy image [YOUR_IMAGE]


    $ trivy fs [YOUR_PROJECT_DIR]

    View full-size slide

  49. 50
    Optimization
    FROM debian:8
    RUN apt-get update
    COPY mysecret.txt /
    ENTRYPOINT ["entrypoint.sh"]
    CMD ["somecmd"]
    Secret scanning is quite slow
    No need to scan

    View full-size slide

  50. 51
    License classification


    • Forbidden


    • Restricted


    • Reciprocal


    • Notice


    • Etc.
    https://opensource.google/documentation/reference/thirdparty/licenses

    View full-size slide

  51. 52
    License scanning (compliance)
    $ trivy image --security-checks license --severity UNKNOWN,HIGH,CRITICAL alpine:3.15
    2022-07-13T17:28:39.526+0300 INFO License scanning is enabled
    OS Packages (license)
    =====================
    Total: 6 (UNKNOWN: 0, HIGH: 6, CRITICAL: 0)
    !"""""""""""""""""""#"""""""""#""""""""""""""""#""""""""""$
    % Package % License % Classification % Severity %
    &"""""""""""""""""""'"""""""""'""""""""""""""""'""""""""""(
    % alpine-baselayout % GPL-2.0 % Restricted % HIGH %
    &"""""""""""""""""""( % % %
    % apk-tools % % % %
    &"""""""""""""""""""( % % %
    % busybox % % % %
    &"""""""""""""""""""( % % %
    % musl-utils % % % %
    &"""""""""""""""""""( % % %
    % scanelf % % % %
    &"""""""""""""""""""( % % %
    % ssl_client % % % %
    )"""""""""""""""""""*"""""""""*""""""""""""""""*""""""""""+

    View full-size slide

  52. 53
    Extended license scanning
    $ trivy image --security-checks license --severity UNKNOWN,HIGH,CRITICAL --license-full grafana/grafana
    2022-07-13T17:48:40.905+0300 INFO Full license scanning is enabled
    Loose File License(s) (license)
    ===============================
    Total: 6 (UNKNOWN: 4, HIGH: 0, CRITICAL: 2)
    !""""""""""""""""#""""""""""#""""""""""""""#""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""$
    % Classification % Severity % License % File Location %
    &""""""""""""""""'""""""""""'""""""""""""""'""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""(
    % Forbidden % CRITICAL % AGPL-3.0 % /usr/share/grafana/LICENSE %
    % % % % %
    % % % % %
    &""""""""""""""""'""""""""""'""""""""""""""'""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""(
    % Non Standard % UNKNOWN % BSD-0-Clause % /usr/share/grafana/public/build/5069.d6aae9dd11d49c741a80.j- %
    % % % % s.LICENSE.txt %
    % % % &""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""(
    % % % % /usr/share/grafana/public/build/6444.d6aae9dd11d49c741a80.j- %
    % % % % s.LICENSE.txt %
    )""""""""""""""""*""""""""""*""""""""""""""*""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""+
    Scan license files and file headers (--license-full)

    View full-size slide

  53. 54
    Trivy covers more
    Dev
    SCA


    IaC Scanning


    SAST/DAST


    Fuzzing


    Secrets Scanning
    Preventing security from


    slowing down development
    Trust your Code
    Preventing vulnerable artifacts


    from deploying
    Scan cloud deployments for security
    issues like misconfigurations
    DevOps / DevSecOps
    Container Image Scanning


    - Vulnerabilities


    - Secrets


    - Malware, etc.


    Supply Chain Security
    Secure your Artifact
    Infrastructure / Cloud / Security
    CSPM


    KSPM


    Workload Vulnerability/Config
    Harden your Deployment
    Security Operations
    AV


    EDR


    IDS/IPS/WAF


    Container / VMs / Server

    Protection
    Visibility and protection for cloud


    native deployments
    Handle Attack

    View full-size slide

  54. 55
    Kubernetes cluster scanning
    # cluster scanning
    $ trivy k8s --report summary cluster
    # namespace scanning:
    $ trivy k8s -n kube-system --report summary all
    # resources scanning:
    $ trivy k8s deployment/orion

    View full-size slide

  55. 56
    Summary Report

    View full-size slide

  56. 57
    Detailed Report

    View full-size slide

  57. 58
    Trivy covers more and more
    Dev
    SCA


    IaC Scanning


    SAST/DAST


    Fuzzing


    Secrets Scanning
    Preventing security from


    slowing down development
    Trust your Code
    Preventing vulnerable artifacts


    from deploying
    Scan cloud deployments for security
    issues like misconfigurations
    DevOps / DevSecOps
    Container Image Scanning


    - Vulnerabilities


    - Secrets


    - Malware, etc.


    Supply Chain Security
    Secure your Artifact
    Infrastructure / Cloud / Security
    CSPM


    KSPM


    Workload Vulnerability/Config
    Harden your Deployment
    Security Operations
    AV


    EDR


    IDS/IPS/WAF


    Container / VMs / Server

    Protection
    Visibility and protection for cloud


    native deployments
    Handle Attack

    View full-size slide

  58. 59
    AWS scanning
    $ trivy aws
    Coming soon (v0.31.0)

    View full-size slide

  59. Software Bill of Materials (SBOM) generation
    63
    Support three formats


    •CycloneDX (--format cyclonedx)


    •SPDX (--format spdx, --format spdx-json)


    •GitHub Dependency Snapshots (--format github)
    $ trivy image --format cyclonedx [YOUR_IMAGE]
    https://cyclonedx.org/


    https://spdx.dev/


    https://docs.github.com/en/rest/dependency-graph/dependency-submission

    View full-size slide

  60. SBOM scanning
    64
    $ trivy image --format cyclonedx --output alpine.cdx.json alpine:3.15
    $ trivy sbom alpine.cdx.json
    alpine.cdx.json (alpine 3.7.1)
    ==============================
    Total: 3 (CRITICAL: 3)
    !"""""""""""""#""""""""""""""""#""""""""""#"""""""""""""""""""#"""""""""""""""#""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""$
    % Library % Vulnerability % Severity % Installed Version % Fixed Version % Title %
    &"""""""""""""'""""""""""""""""'""""""""""'"""""""""""""""""""'"""""""""""""""'""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""(
    % curl % CVE-2018-14618 % CRITICAL % 7.61.0-r0 % 7.61.1-r0 % curl: NTLM password overflow via integer overflow %
    % % % % % % https://avd.aquasec.com/nvd/cve-2018-14618 %
    &"""""""""""""'""""""""""""""""'""""""""""'"""""""""""""""""""'"""""""""""""""'""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""(
    % libbz2 % CVE-2019-12900 % CRITICAL % 1.0.6-r6 % 1.0.6-r7 % bzip2: out-of-bounds write in function BZ2_decompress %
    % % % % % % https://avd.aquasec.com/nvd/cve-2019-12900 %
    &"""""""""""""'""""""""""""""""'""""""""""'"""""""""""""""""""'"""""""""""""""'""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""(
    % sqlite-libs % CVE-2019-8457 % CRITICAL % 3.21.0-r1 % 3.25.3-r1 % sqlite: heap out-of-bound read in function rtreenode() %
    % % % % % % https://avd.aquasec.com/nvd/cve-2019-8457 %
    )"""""""""""""*""""""""""""""""*""""""""""*"""""""""""""""""""*"""""""""""""""*""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""+

    View full-size slide

  61. Attestation
    65
    •Authenticated metadata about a
    set of software artifacts


    •Provenance


    •A container image with digest
    "sha256:87f7fe…" from git commit
    "f0c93d…"


    •SBOM


    •Formats


    •In-toto attestation
    {
    "payloadType": "application/vnd.in-toto+json",
    "payload":
    "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1l
    bnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwOi8vbXkuZ
    XhhbXBsZS5jb20vYXV0aG9yIiwic3ViamVjdCI6W3sibmFtZS
    I6ImluZGV4LmRvY2tlci5pby9vdG1zNjEvaGVsbG8tMSIsImR
    pZ2VzdCI6eyJzaGEyNTYiOiIyMGQzZjY5M2RjZmZhNDRkNmIy
    NGVhZTg4NzgzMzI0ZDI1Y2MxMzJjMjIwODlmNzBlNGZiZmI4N
    Tg2MjViMDYyIn19XSwicHJlZGljYXRlIjp7ImF1dGhvciI6In
    Nhc28ifX0=",
    "signatures": [
    {
    "keyid": "",
    "sig": "MEQC++c7F1czPr...CKdBdjq+If/g67Q=="
    }
    ]
    }
    https://github.com/in-toto/attestation

    View full-size slide

  62. Trivy Operator
    66
    •Automated vulnerability scanning for
    Kubernetes workloads.


    •Automated configuration audits for
    Kubernetes resources with predefined
    rules or custom Open Policy Agent
    (OPA) policies.


    •Custom Resource Definitions and a Go
    module to work with and integrate a
    range of security scanners.


    •The Lens Extension that make security
    reports available through familiar
    Kubernetes interfaces.

    View full-size slide

  63. Dependency


    Origin Tree


    (Node.js)
    67

    View full-size slide

  64. trivy.yaml
    68
    $ cat << EOS > trivy.yaml
    timeout: 20m
    format: json
    dependency-tree: true
    list-all-pkgs: true
    exit-code: 1
    output: result.json
    severity:
    - HIGH
    - CRITICAL
    scan:
    security-checks:
    - vuln
    - secret
    vulnerability:
    ignore-unfixed: true
    EOS
    $ trivy image YOUR_IMAGE

    View full-size slide

  65. 69
    Client/Server
    Server
    ᶃ Download vulnerability DB
    Client
    ᶄ Pull layers
    Cache
    ᶇ Store cache
    ᶅ Analyze
    ᶆ Send layer information
    ᶈ Respond vulnerabilities
    Container Registry

    View full-size slide

  66. 70
    Open Policy Agent (OPA) Integration
    Rego
    --ignore-policy
    Detected


    Vulnerabilities
    OPA
    Result
    * EXPERIMENTAL feature
    KubeCon Europe 2020


    https://static.sched.com/hosted_files/kccnceu20/e5/2020%3A08%20KubeCon%20Europe%202020.pdf

    View full-size slide

  67. 71
    WebAssembly Module
    * EXPERIMENTAL feature
    $ trivy module install ghcr.io/
    aquasecurity/trivy-module-spring4shell
    $ trivy image ghcr.io/aquasecurity/
    trivy-test-images:spring4shell-jre8
    OCI Registries
    Inspect Tomcat


    Configuration...

    View full-size slide

  68. 72
    Audit Your Software Supply Chain for CIS Compliance
    • The CIS Software Supply Chain Security Guide


    • Aqua Security and the Center for Internet
    Security (CIS) collaborated


    • Provides more than 100 foundational
    recommendations


    • Support key emerging standards like
    Supply-chain Levels for Software Artifacts
    (SLSA) and The Update Framework (TUF).
    https://github.com/aquasecurity/chain-bench

    View full-size slide

  69. 73
    Simplify Cloud Native Security with Trivy
    Covered by
    Dev
    SCA


    IaC Scanning


    SAST/DAST


    Fuzzing


    Secrets Scanning
    Preventing security from


    slowing down development
    Trust your Code
    Preventing vulnerable artifacts


    from deploying
    Scan cloud deployments for security
    issues like misconfigurations
    DevOps / DevSecOps
    Container Image Scanning


    - Vulnerabilities


    - Secrets


    - Malware, etc.


    Supply Chain Security
    Secure your Artifact
    Infrastructure / Cloud / Security
    CSPM


    KSPM


    Workload Vulnerability/Config
    Harden your Deployment
    Security Operations
    AV


    EDR


    IDS/IPS/WAF


    Container / VMs / Server

    Protection
    Visibility and protection for cloud


    native deployments
    Handle Attack

    View full-size slide

  70. © 2022 Aqua Security Software Ltd., All Rights Reserved
    Thanks

    View full-size slide