Trivy 概述
Trivy(tri 发音为 trigger,vy 发音为 envy)是一个简略而全面的破绽/谬误配置扫描器,用于容器和其余工件。 软件破绽是软件或操作系统中存在的故障、缺点或弱点。 Trivy 检测操作系统包(Alpine、RHEL、CentOS 等)和特定语言包(Bundler、Composer、npm、yarn 等)的破绽。 此外,Trivy 会扫描基础设施即代码 (IaC) 文件,例如 Terraform 和 Kubernetes,以检测使您的部署面临攻打危险的潜在配置问题。 Trivy 易于应用。 只需装置二进制文件,您就能够开始扫描了。 扫描所须要做的就是指定一个指标,例如容器的图像名称。
Trivy 检测两种类型的平安问题 :
- 破绽
- 配置谬误
Trivy 能够扫描三种不同的工件:
- 容器镜像
- 文件系统
- Git存储库
Trivy 能够在两种不同的模式下运行:
- 独立
客户端服务器
它旨在用于 CI。在推送到容器注册表或部署应用程序之前,您能够轻松扫描本地容器映像和其余工件。
Trivy 特色
全面的破绽检测
- 操作系统包(Alpine、Red Hat Universal Base Image、Red Hat Enterprise Linux、CentOS、Oracle Linux、Debian、Ubuntu、Amazon Linux、openSUSE Leap、SUSE Enterprise Linux、Photon OS 和 Distroless)
- 特定于语言的包(Bundler、Composer、Pipenv、Poetry、npm、yarn、Cargo、NuGet、Maven 和 Go)
检测 IaC 谬误配置
各种各样的内置策略提供了开箱:
- Kubernetes
- 码头工人
- 地形
- 更多行将推出
- 反对自定义策略
简略的
- 仅指定图像名称、蕴含 IaC 配置的目录或工件名称
疾速地
- 第一次扫描将在 10 秒内实现(取决于您的网络)。随后的扫描将在几秒钟内实现。
- 与在第一次运行时须要很长时间能力获取破绽信息(约 10 分钟)并激励您保护长久破绽数据库的其余扫描程序不同,Trivy 是无状态的,不须要保护或筹备。
繁难装置
apt-get install,yum install并且brew install是可能的- 没有先决条件,如装置DB的,图书馆等
高精确度
- 特地是 Alpine Linux 和 RHEL/CentOS
- 其余操作系统也高
开发平安经营
- 实用于Travis CI、CircleCI、Jenkins、GitLab CI 等 CI。
反对多种格局
容器镜像
- 作为守护过程运行的 Docker Engine 中的本地映像
- Podman中裸露套接字的本地图像
- Docker Registry 中的近程镜像,例如 Docker Hub、ECR、GCR 和 ACR
- 存储在
docker save/podman save格式文件中的 tar 存档 - 合乎OCI 图像格式的图像目录
- 本地文件系统
- 近程 git 仓库
Trivy 装置
Yum 源形式装置
$ sudo vim /etc/yum.repos.d/trivy.repo[trivy]name=Trivy repositorybaseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$releasever/$basearch/gpgcheck=0enabled=1$ sudo yum -y update$ sudo yum -y install trivyrpm 形式装置
rpm -ivh https://github.com/aquasecurity/trivy/releases/download/v0.19.2/trivy_0.19.2_Linux-64bit.rpm二进制形式装置
mkdir -p $GOPATH/src/github.com/aquasecuritycd $GOPATH/src/github.com/aquasecuritygit clone --depth 1 --branch v0.19.2 https://github.com/aquasecurity/trivycd trivy/cmd/trivy/export GO111MODULE=ongo install容器镜像破绽扫描
只需指定镜像仓库(和tag)
# trivy image nginx:1.16 2021-08-16T19:15:48.528+0800 INFO Detected OS: debian2021-08-16T19:15:48.528+0800 INFO Detecting Debian vulnerabilities...2021-08-16T19:15:48.541+0800 INFO Number of language-specific files: 1nginx:1.16 (debian 10.3)========================Total: 207 (UNKNOWN: 0, LOW: 105, MEDIUM: 33, HIGH: 49, CRITICAL: 20)+-----------------+---------------------+----------+---------------------------+---------------------------+------------------------------------------------------------+| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |+-----------------+---------------------+----------+---------------------------+---------------------------+------------------------------------------------------------+| apt | CVE-2020-27350 | MEDIUM | 1.8.2 | 1.8.2.2 | apt: integer overflows and underflows || | | | | | while parsing .deb packages || | | | | | -->avd.aquasec.com/nvd/cve-2020-27350 |+ +---------------------+ + +---------------------------+------------------------------------------------------------+| | CVE-2020-3810 | | | 1.8.2.1 | Missing input validation in || | | | | | the ar/tar implementations of || | | | | | APT before version 2.1.2... || | | | | | -->avd.aquasec.com/nvd/cve-2020-3810 |+ +---------------------+----------+ +---------------------------+------------------------------------------------------------+| | CVE-2011-3374 | LOW | | | It was found that apt-key in apt, || | | | | | all versions, do not correctly... || | | | | | -->avd.aquasec.com/nvd/cve-2011-3374 |+-----------------+---------------------+ +---------------------------+---------------------------+------------------------------------------------------------+| bash | CVE-2019-18276 | | 5.0-4 | | bash: when effective UID is not || | | | | | equal to its real UID the... || | | | | | -->avd.aquasec.com/nvd/cve-2019-18276 |+ +---------------------+ + +---------------------------+------------------------------------------------------------+| | TEMP-0841856-B18BAF | | | | -->security-tracker.debian.org/tracker/TEMP-0841856-B18BAF |+-----------------+---------------------+ +---------------------------+---------------------------+------------------------------------------------------------+| bsdutils | CVE-2021-37600 | | 2.33.1-0.1 | | util-linux: integer overflow || | | | | | can lead to buffer overflow || | | | | | in get_sem_elements() in || | | | | | sys-utils/ipcutils.c... || | | | | | -->avd.aquasec.com/nvd/cve-2021-37600 |+-----------------+---------------------+ +---------------------------+---------------------------+------------------------------------------------------------+| coreutils | CVE-2016-2781 | | 8.30-3 | | coreutils: Non-privileged || | | | | | session can escape to the || | | | | | parent session in chroot || | | | | | -->avd.aquasec.com/nvd/cve-2016-2781 |+ +---------------------+ + +---------------------------+------------------------------------------------------------+| | CVE-2017-18018 | | | | coreutils: race condition || | | | | | vulnerability in chown and chgrp || | | | | | -->avd.aquasec.com/nvd/cve-2017-18018 |+-----------------+---------------------+ +---------------------------+---------------------------+------------------------------------------------------------+| fdisk | CVE-2021-37600 | | 2.33.1-0.1 | | util-linux: integer overflow || | | | | | can lead to buffer overflow || | | | | | in get_sem_elements() in || | | | | | sys-utils/ipcutils.c... || | | | | | -->avd.aquasec.com/nvd/cve-2021-37600 |+-----------------+---------------------+----------+---------------------------+---------------------------+------------------------------------------------------------+| gcc-8-base | CVE-2018-12886 | HIGH | 8.3.0-6 | | gcc: spilling of stack || | | | | | protection address in cfgexpand.c || | | | | | and function.c leads to... || | | | | | -->avd.aquasec.com/nvd/cve-2018-12886 |+ +---------------------+ + +---------------------------+------------------------------------------------------------+| | CVE-2019-15847 | | | | gcc: POWER9 "DARN" RNG intrinsic || | | | | | produces repeated output || | | | | | -->avd.aquasec.com/nvd/cve-2019-15847 |+-----------------+---------------------+----------+---------------------------+---------------------------+------------------------------------------------------------+| gpgv | CVE-2019-14855 | LOW | 2.2.12-1+deb10u1 | | gnupg2: OpenPGP Key Certification || | | | | | Forgeries with SHA-1 || | | | | | -->avd.aquasec.com/nvd/cve-2019-14855 |+-----------------+---------------------+----------+---------------------------+---------------------------+------------------------------------------------------------+| libapt-pkg5.0 | CVE-2020-27350 | MEDIUM | 1.8.2 | 1.8.2.2 | apt: integer overflows and underflows || | | | | | while parsing .deb packages || | | | | | -->avd.aquasec.com/nvd/cve-2020-27350 |+ +---------------------+ + +---------------------------+------------------------------------------------------------+| | CVE-2020-3810 | | | 1.8.2.1 | Missing input validation in || | | | | | the ar/tar implementations of || | | | | | APT before version 2.1.2... |--More--trivy image [IMAGE_NAME]
破绽等级:
- HIGH
- MEDIUM
- LOW
- CRITICAL
文件系统破绽扫描
扫描文件系统(例如主机、虚拟机映像或解压缩的容器映像文件系统)
# trivy fs /application/zookeeper/2021-08-16T19:23:19.322+0800 INFO Number of language-specific files: 352021-08-16T19:23:19.322+0800 INFO Detecting jar vulnerabilities...lib/jetty-server-9.4.39.v20210325.jar (jar)===========================================Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 0, CRITICAL: 0)+--------------------------------+------------------+----------+-------------------+------------------------+---------------------------------------+| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |+--------------------------------+------------------+----------+-------------------+------------------------+---------------------------------------+| org.eclipse.jetty:jetty-server | CVE-2019-10247 | MEDIUM | 9.4.39.v20210325 | | jetty: error path || | | | | | information disclosure || | | | | | -->avd.aquasec.com/nvd/cve-2019-10247 |+ +------------------+----------+ +------------------------+---------------------------------------+| | CVE-2021-34428 | LOW | | 11.0.3, 10.0.3, 9.4.41 | jetty: SessionListener can || | | | | | prevent a session from being || | | | | | invalidated breaking logout || | | | | | -->avd.aquasec.com/nvd/cve-2021-34428 |+--------------------------------+------------------+----------+-------------------+------------------------+---------------------------------------+lib/log4j-1.2.17.jar (jar)==========================Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)+-------------+------------------+----------+-------------------+---------------+---------------------------------------+| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |+-------------+------------------+----------+-------------------+---------------+---------------------------------------+| log4j:log4j | CVE-2019-17571 | CRITICAL | 1.2.17 | | log4j: deserialization of || | | | | | untrusted data in SocketServer || | | | | | -->avd.aquasec.com/nvd/cve-2019-17571 |+-------------+------------------+----------+-------------------+---------------+---------------------------------------+Git 存储库破绽扫描
扫描您的近程 git 存储库
# trivy repo https://github.com/kubernetes/kubernetes.gitEnumerating objects: 370096, done.Counting objects: 100% (370096/370096), done.Compressing objects: 100% (153736/153736), done.Total 370096 (delta 246795), reused 313878 (delta 202418), pack-reused 02021-08-16T19:27:54.433+0800 INFO Number of language-specific files: 312021-08-16T19:27:54.434+0800 INFO Detecting gomod vulnerabilities...cluster/addons/fluentd-elasticsearch/es-image/go.sum (gomod)============================================================Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 3, CRITICAL: 0)+-----------------------------+------------------+----------+-----------------------------------+------------------------------------+---------------------------------------+| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |+-----------------------------+------------------+----------+-----------------------------------+------------------------------------+---------------------------------------+| github.com/dgrijalva/jwt-go | CVE-2020-26160 | HIGH | 3.2.0+incompatible | | jwt-go: access restriction || | | | | | bypass vulnerability || | | | | | -->avd.aquasec.com/nvd/cve-2020-26160 |+-----------------------------+------------------+ +-----------------------------------+------------------------------------+---------------------------------------+| github.com/gogo/protobuf | CVE-2021-3121 | | 1.3.1 | v1.3.2 | gogo/protobuf: || | | | | | plugin/unmarshal/unmarshal.go || | | | | | lacks certain index validation || | | | | | -->avd.aquasec.com/nvd/cve-2021-3121 |+-----------------------------+------------------+ +-----------------------------------+------------------------------------+---------------------------------------+| golang.org/x/crypto | CVE-2020-29652 | | 0.0.0-20200622213623-75b288015ac9 | v0.0.0-20201216223049-8b5274cf687f | golang: crypto/ssh: crafted || | | | | | authentication request can || | | | | | lead to nil pointer dereference || | | | | | -->avd.aquasec.com/nvd/cve-2020-29652 |+-----------------------------+------------------+----------+-----------------------------------+------------------------------------+---------------------------------------+| k8s.io/client-go | CVE-2020-8565 | MEDIUM | 0.19.2 | v0.20.0-alpha.2 | kubernetes: Incomplete fix || | | | | | for CVE-2019-11250 allows for || | | | | | token leak in logs when... || | | | | | -->avd.aquasec.com/nvd/cve-2020-8565 |+-----------------------------+------------------+----------+-----------------------------------+------------------------------------+---------------------------------------+go.sum (gomod)==============Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)Trivy 过滤破绽
暗藏未修复得破绽
默认状况下, Trivy还会检测未修补/未修复的破绽。这意味着即便您更新所有软件包,您也无奈修复这些破绽。如果您想疏忽它们,请应用该--ignore-unfixed选项。
# trivy image --ignore-unfixed nginx:1.16 按重大水平
应用--severity选项
# trivy image --severity HIGH,CRITICAL nginx:1.16按破绽ID
应用.trivyignore.
# cat .trivyignore# Accept the riskCVE-2018-14618# No impact in our settingsCVE-2019-1543# trivy image nginx:1.16 按类型
应用--vuln-type选项。
# trivy image --vuln-type os nginx:1.16破绽数据库
跳过破绽数据库得更新
Trivy开始运行时每 12 小时下载一次破绽数据库。这通常很快,因为数据库的大小只有 10~30MB。然而,如果您甚至想跳过它,请应用该--skip-db-update选项。
# trivy image --skip-db-update nginx:1.16只下载破绽数据库
# trivy image --download-db-only轻量级数据库
轻量级数据库不蕴含破绽详细信息,例如形容和参考。因而,DB 的大小更小,下载速度更快。
当您不须要破绽详细信息并且实用于 CI/CD 时,此选项很有用。要查找其余信息,您能够在 NVD 网站上搜寻破绽详细信息。https://nvd.nist.gov/vuln/search
# trivy image --light nginx:1.16--light 选项不会像上面的例子那样显示题目。
Trivy 缓存
革除缓存
该--clear-cache选项删除缓存。
不执行扫描。
# trivy image --clear-cache缓存目录
用 指定缓存的存储地位--cache-dir。
$ trivy --cache-dir /tmp/trivy/ image nginx:1.16缓存后端
Trivy 反对本地文件系统和 Redis 作为缓存后端。此选项特地实用于客户端/服务器模式。
两个选项: - fs - 缓存门路能够通过--cache-dir - redis:// -redis://[HOST]:[PORT]
# trivy server --cache-backend redis://localhost:6379Trivy 破绽报告格局
表格(默认)
# trivy image -f table nginx:1.16JSON
trivy image -f json -o results.json nginx:1.16参考文章
https://github.com/aquasecurity/trivy
点击 "浏览原文" 获取更好的浏览体验!