DEV Community

John Potter
John Potter

Posted on

Locking Down Proprietary Apps with Aqua Trivy: Your Go-To Guide for Container Security

Ever worry about the security of your containerized apps? You're not alone. Container security is a big deal—no ifs, ands, or buts about it. As more companies adopt containerized apps, the stakes for security rise.

Think of it this way: would you leave your front door unlocked in a busy neighborhood? Didn't think so. Aqua Trivy is the deadbolt you need. It's designed to spot vulnerabilities in your container images, making sure the bad guys stay out while your apps run smoothly.

Scanning Your First Container
Setting Up Your Environment
Integrating Aqua Trivy into Kubernetes
Creating Security Policies
Alerts and Monitoring
Best Practices
Conclusion

Scanning Your First Container

Let's get right into scanning your first container with Aqua Trivy. This guide will walk you through running a sample scan and interpreting the results.

Run a sample scan.

  • First, you'll need to install Trivy if you haven't already. Open up your terminal and run:
$ curl -sfL https://aquasecurity.github.io/trivy-repo/deb/trivy.asc | sudo apt-key add -
$ sudo add-apt-repository 'deb https://aquasecurity.github.io/trivy-repo/deb/ release main'
$ sudo apt-get update
$ sudo apt-get install trivy
Enter fullscreen mode Exit fullscreen mode

Now that Trivy is installed, let's run a scan on a sample container image. We'll use the alpine image for this example.

$ trivy image alpine:latest
Enter fullscreen mode Exit fullscreen mode

What the results mean.

  • Once you run the scan, you'll see a list of potential vulnerabilities. The output will look something like this:
2021-10-06T23:58:52.337Z        INFO    Detecting Alpine vulnerabilities...
2021-10-06T23:58:52.343Z        INFO    Trivy skips scanning programming language libraries because no supported file was detected

alpine:latest (alpine 3.14.0)
=============================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
Enter fullscreen mode Exit fullscreen mode
  • The Total line at the bottom gives you a summary. It tells you the total number of vulnerabilities and breaks it down by severity: UNKNOWN, LOW, MEDIUM, HIGH, and CRITICAL.

  • UNKNOWN: Trivy couldn't determine the severity.

  • LOW: Minor issues, but check them out anyway.

  • MEDIUM: You should probably take a look.

  • HIGH: Yeah, you'll want to address these.

  • CRITICAL: Drop everything and fix these now.

That's it! You've successfully run your first scan with Aqua Trivy and learned how to interpret the results. Keep your containers secure and your apps running smooth

Integrating Aqua Trivy into Kubernetes

Now that you know how to scan a container manually, let's level up. The real magic happens when you integrate Aqua Trivy directly into your Kubernetes setup. This means every new container gets checked for vulnerabilities automatically before it hits production. Let's dive into how to make that happen

Step-by-step guide.

  • Install Aqua Trivy on your system if you haven't already.
sudo apt-get install trivy
Enter fullscreen mode Exit fullscreen mode
  • Set up RBAC permissions for Trivy in your Kubernetes cluster.
apiVersion: v1
kind: ServiceAccount
metadata:
  name: trivy
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: trivy
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: trivy
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: trivy
subjects:
  - kind: ServiceAccount
    name: trivy
    namespace: default
Enter fullscreen mode Exit fullscreen mode
  • Run the Trivy scanner as a Kubernetes job.
kubectl apply -f trivy-job.yaml
Enter fullscreen mode Exit fullscreen mode
  • Check the logs for the scanning results.
kubectl logs job/trivy-scan
Enter fullscreen mode Exit fullscreen mode

Common Issues and Fixes

  • Issue: Trivy can't pull the image.
  • Fix: Make sure the image name and tag are correct. Check if Kubernetes has access to the Docker registry.

  • Issue: Permission errors in the logs.

  • Fix: Make sure the RBAC permissions were set up correctly. Try running the RBAC YAML file again.

  • Issue: Trivy scanner times out.

  • Fix: This could be because of network issues or if you're scanning a large image. Increase the timeout value in the Trivy configuration.

And that's it! You've successfully integrated Aqua Trivy into your Kubernetes cluster. Now you can automate your container security scans and sleep a little better at night

Creating Security Policies

Now that you've got Aqua Trivy up and running in your Kubernetes cluster, let's make it really work for you. In this next section, we'll dive into how to create security policies. These policies are your rulebook for what's allowed and what's not, helping you catch vulnerabilities before they become headaches. First, let's set some ground rules

How to set rules in Aqua Trivy.

Setting rules in Aqua Trivy will help you define what kind of vulnerabilities you want to catch and flag.

Open the Aqua Trivy Dashboard:

open http://your-aqua-trivy-dashboard-url
Enter fullscreen mode Exit fullscreen mode

Navigate to the Policies Section:

  • On the left sidebar, click on "Policies."

Create a New Policy:

  • Click the "Add Policy" button.
# In CLI
trivy policy --add your-policy-name
Enter fullscreen mode Exit fullscreen mode

Define Your Rules

  • Here, you'll see various options for rules related to vulnerability severity, software licenses, etc. Choose the ones that fit your security needs.
# For example, flag only high-severity issues
trivy policy --severity HIGH
Enter fullscreen mode Exit fullscreen mode

Save the Policy

  • Once you're happy with your settings, hit the "Save" button.
# In CLI
trivy policy --save
Enter fullscreen mode Exit fullscreen mode

Test the Policy

  • To make sure everything's working as expected, run a test scan.
trivy policy --test your-policy-name
Enter fullscreen mode Exit fullscreen mode

Common issues and fixes

  • Policy Not Working: If your policy doesn’t seem to be catching vulnerabilities, double-check your severity levels.
  • CLI Errors: Syntax errors in the CLI could mess things up. Always check your terminal output.

And there you have it! You've just set your security rules in Aqua Trivy. This is your first line of defense against sketchy stuff sneaking into your containers

Examples of good policies.

Creating a well-defined policy isn't just about setting a few rules; it's about understanding your environment and what you're looking to protect. Below are some examples of good policies that could serve as a baseline.

Strict Policy for Production

  • Flags: High and Critical vulnerabilities
  • Action: Block deployment
# Example CLI command
trivy policy --severity HIGH,CRITICAL --action block
Enter fullscreen mode Exit fullscreen mode

Moderate Policy for Development

  • Flags: Medium, High, and Critical vulnerabilities
  • Action: Warn but allow deployment
# Example CLI command
trivy policy --severity MEDIUM,HIGH,CRITICAL --action warn
Enter fullscreen mode Exit fullscreen mode

License-Compliance Policy

  • Flags: GPL-licensed packages
  • Action: Block deployment
# Example CLI command
trivy policy --license GPL --action block
Enter fullscreen mode Exit fullscreen mode

Outdated Software Policy

  • Flags: Packages not updated in the last 180 days
  • Action: Warn but allow deployment
# Example CLI command
trivy policy --days 180 --action warn
Enter fullscreen mode Exit fullscreen mode

Comprehensive Policy

  • Flags: Medium and above vulnerabilities, GPL licenses, outdated packages
  • Action: Block deployment
# Example CLI command
trivy policy --severity MEDIUM,HIGH,CRITICAL --license GPL --days 180 --action block
Enter fullscreen mode Exit fullscreen mode

These are just templates, but they give you an idea of how to construct a policy that fits your specific needs. Tailor these to your environment, and you'll be in a solid position to keep things secure.

Alerts and Monitoring

Now that you've set up some solid policies with Aqua Trivy, how do you keep tabs on your container security? That's where alerts and monitoring come into play. This section will guide you through setting up real-time alerts and monitoring features, so you're always one step ahead of any security issues. Let's dive in.

How to set up alerts.

Setting up alerts in Aqua Trivy ensures that you're immediately notified of any vulnerabilities or policy breaches. Here's how to do it, step by step:

  • Log into the Aqua Trivy Dashboard
trivy login
Enter fullscreen mode Exit fullscreen mode
  • Navigate to the Alerts section
cd /path/to/alerts
Enter fullscreen mode Exit fullscreen mode
  • Create a New Alert Profile
trivy alert create --name "Critical Alert"
Enter fullscreen mode Exit fullscreen mode
  • Set Alert Conditions
trivy alert condition set --severity "CRITICAL"
Enter fullscreen mode Exit fullscreen mode
  • Add Notification Channel (e.g., Slack, Email)
trivy alert notify add --channel "slack" --url "your-slack-webhook-url"
Enter fullscreen mode Exit fullscreen mode
  • Test the Alert
trivy alert test
Enter fullscreen mode Exit fullscreen mode
  • Save and Enable Alert
trivy alert enable
Enter fullscreen mode Exit fullscreen mode

By following these steps, you'll set up an alert profile that notifies you when a critical vulnerability is found.

Monitoring tools compatible with Aqua Trivy.

You're not limited to the built-in alerting system. Aqua Trivy is compatible with a range of monitoring tools, which allows for even more flexibility and customization. Here are some popular choices:

  • Prometheus
trivy monitor --tool "prometheus"
Enter fullscreen mode Exit fullscreen mode
  • Grafana
trivy monitor --tool "grafana"
Enter fullscreen mode Exit fullscreen mode
  • ELK Stack (Elasticsearch, Logstash, Kibana)
trivy monitor --tool "elk"
Enter fullscreen mode Exit fullscreen mode

Choose a monitoring tool that aligns with your needs, and you can integrate it seamlessly with Aqua Trivy for an even more robust security setup

Best Practices

Next up, let's dive into some best practices. Knowing how to use Aqua Trivy is one thing, but using it effectively? That's the gold standard. This section lays down the do's and don'ts to keep your containers secure as a vault. Keep reading to get the most out of your Aqua Trivy setup.

Keep It Updated

  • Why It Matters: Security threats evolve. So should your tools.
  • How to Do It: Run regular updates to make sure you're using the latest Trivy version.
$ sudo apt-get update && sudo apt-get install trivy
Enter fullscreen mode Exit fullscreen mode

Scan Early, Scan Often

  • Why It Matters: The earlier you catch vulnerabilities, the easier they are to fix.
  • How to Do It: Integrate Trivy into your CI/CD pipeline.
steps:
- name: Run Trivy vulnerability scanner
  run: trivy image YOUR_IMAGE_NAME
Enter fullscreen mode Exit fullscreen mode

Set Smart Policies

  • Why It Matters: Not all vulnerabilities are created equal. Focus on what matters.
  • How to Do It: Use Trivy's policy files to set custom rules.
$ trivy policy --policyfile your-policy-file.json YOUR_IMAGE_NAME
Enter fullscreen mode Exit fullscreen mode

Use Whitelists

  • Why It Matters: Some vulnerabilities might be false positives or irrelevant to your setup.
  • How to Do It: Use a whitelist file to ignore them.
$ trivy --whitelist whitelist-file.txt YOUR_IMAGE_NAME
Enter fullscreen mode Exit fullscreen mode

Keep an Eye on Alerts

  • Why It Matters: Staying informed helps you react quickly.
  • How to Do It: Set up alert channels like email or Slack through Trivy.
$ trivy --alert-url YOUR_SLACK_WEBHOOK_URL YOUR_IMAGE_NAME
Enter fullscreen mode Exit fullscreen mode

This isn't an exhaustive list, but it's a solid start. Stick to these best practices and you'll be well on your way to mastering container security with Aqua Trivy.

Conclusion

To wrap it up, Aqua Trivy isn't just another tool in your security arsenal—it's a must-have for anyone using Kubernetes. From scanning your first container to setting up smart policies and alerts, Trivy makes container security easier and more efficient. Stick to the best practices we've laid out here, and you're setting yourself up for a more secure, more reliable container environment

Top comments (0)