DEV Community

Cover image for Scan your docker images with trivy
Antoine
Antoine

Posted on • Updated on

Scan your docker images with trivy

Photo by Michael Longmire on Unsplash

Docker is useful to easily grab tools based on various images. But as those images will run on your environment or system, you have to at least know what is in or what is missing (security patch, outdated packages).

trivy is a great tool to do that. The output is clear.

An example of scanning dotnet core sdk 3.1 image:
Alt Text

As i'm a windows user, i usually inject the scan in the Docker.It can be achieved using a multi stage build and using target to have the container with or without the analysis like in this post .

But now that i have WSL2, i can use

  • a Ubuntu wsl2 image
  • Docker decktop wsl2 integration
  • install trivy on my Ubuntu image

As from my Ubuntu wsl 2, i can access docker without exposing daemon without TLS.

So now, i can use the following command:

trivy image -s HIGH,CRITICAL mcr.microsoft.com/dotnet/core/sdk:3.1

you can use it too on your CI system. The option --exit-code which is great to get the information without blocking the chain. See this post for Azure Devops.

Hope this help !

Top comments (1)

Collapse
 
edwinan profile image
shiping an

How I hope this can scan with Windows container, not docker with Linux container.

  • Tirvy in wsl2 (Linux)
  • Docker decktop Windows container intergation.

And then run trivy in wsl2 to san windows container image.