DEV Community

Cover image for Scan Docker images using Trivy
Arash Hatami
Arash Hatami

Posted on

Scan Docker images using Trivy

My Workflow

Docker is currently one of the main tools in the DevOps domain. You may be dealing with multiple Docker Images every day. Certainly.
In the past, I used to create and publish Docker Images manually on my own PC, Now with Github Actions, my affairs are very fast and easy and I leave everything to Github.

For example look at my repository (Memcached-Admin). It's a Dockerized PHP web application to manage Memcached server(s). I should pass these steps to use this project :

  • Build Image
  • Check and scan security vulnerabilities
  • Push to Dockerhub
  • Push to Other Docker registries

Doing these things normally will waste my time, also after planning the necessary things to build the image, it's necessary to ensure their security and the absence of security bugs. Here we have one of the best tools ... Trivy ๐Ÿ’ช. A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI.

Thanks to Github Action, now we can have all things together.

I wrote simple workflows to handle the whole process.

GitHub logo hatamiarash7 / Memcached-Admin

Memcached admin for docker

Memcached Admin

Docker Image Size (latest by date) Docker Cloud Build Status Docker Image CI Publish Image

This program allows to see in real-time (top-like) or from the start of the server, stats for get, set, delete, increment, decrement, evictions, reclaimed, cas command, as well as server stats (network, items, server version) with googlecharts and server internal configuration

You can go further to see each server slabs, occupation, memory wasted and items (key & value).

Another part can execute commands to any memcached server : get, set, delete, flush_all, as well as execute any commands (like stats) with telnet

image

Statistics

  • Stats for each or all memcached servers, items, evicted, reclaimed ...
  • Stats for every command : set, get, delete, incr, decr, cas ...
  • Slabs stats (Memory, pages, memory wasted, items)
  • Items stats (View items in slabs, then data for each key)
  • Network stats (Traffic, bandwidth)

Commands

  • Execute commands : get, set, delete, flush_all on servers to administrate or debug it
  • Get dataโ€ฆ

Submission Category:

Maintainer Must-Haves

Yaml File or Link to Code

name: Docker Image CI

on:
  push:
    branches: [master]
  pull_request:
    branches: [master]

jobs:
  build:
    name: Build
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Build the Docker image
        run: docker build -t memcached-admin:${{ github.sha }} .

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: "memcached-admin:${{ github.sha }}"
          exit-code: "1"
          ignore-unfixed: true
          vuln-type: "os,library"
          severity: "CRITICAL,HIGH"
          format: "template"
          template: "@/contrib/sarif.tpl"
          output: "trivy-results.sarif"

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: "trivy-results.sarif"
Enter fullscreen mode Exit fullscreen mode

This workflow has 4 simple step:

I can see results in Security tab of my project:

Security tab code-scanning

Now i can push my image to Dockerhub using another workflow:

name: Publish Dockerhub

on:
  schedule:
    - cron: "0 2 * * *"
  push:
    branches: [master]
  pull_request:
    branches: [master]

env:
  REGISTRY: docker.io
  IMAGE_NAME: hatamiarash7/memcached-admin

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v2

      - name: Log into registry ${{ env.REGISTRY }}
        if: github.event_name != 'pull_request'
        uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Extract Docker metadata
        id: meta
        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

      - name: Build and push Docker image
        uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
        with:
          context: .
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
Enter fullscreen mode Exit fullscreen mode

Another amazing feature about Github Action is that I can schedule to run my workflow. For example push image at 02:00 every day:

...

on:
  schedule:
    - cron: "0 2 * * *"

...
Enter fullscreen mode Exit fullscreen mode

Now everything will be done automatically and I just need to push the changes to the repository ๐Ÿ˜

Additional Resources / Info

I used this action: aquasecurity/trivy-action

Discussion (1)

Collapse
mohsen52875 profile image
Mohsen Sabbaghi

Like!