This article will guide you to use Trivy to scan Docker images locally.
What is Trivy and why should we use it to test Docker images for security vulnerabilities.
What is Trivy?
Trivy is an open source security scanner, primarily used to detect security vulnerabilities in Docker images and source code repositories. It is designed to be easy to use and provide detailed information about vulnerabilities, helping developers and system administrators improve the security of their applications.
In addition, Trivy supports integration with CI/CD tools such as Github Actions, Azure DevOps… and IDEs such as VSCode, Vim,… You can see more information about its ecosystem.
In this article, I will guide you through the 2 simplest ways to use Trivy on a local environment, specifically a Windows computer.
Use Trivy with Docker command
This method is suitable for servers without a graphical interface, or you want to use Docker command to manipulate.
For example, you just want to scan the python:3.4-alpine image from DockerHub, I assume that you have downloaded this image to your computer.
Run the Docker command below to download the Trivy image and scan the python:3.4-alpine image. You can check the current version of Trivy and replace image trivy:0.56.2 in the command below. Also, replace python:3.4-alpine with the image tag you want to scan.
Use Trivy with Docker command to scan Docker images.
The scan content will look like below.
$dockerrunaquasec/trivy:0.56.2imagepython:3.4-alpineUnabletofindimage'aquasec/trivy:0.56.2'locally0.56.2:Pullingfromaquasec/trivy43c4264eed91:Alreadyexists2fb915365b73:Pullcomplete55dd28896ea8:Pullcomplete4ff82ebd20fe:PullcompleteDigest:sha256:26245f364b6f5d223003dc344ec1eb5eb8439052bfecb31d79aeba0c74344b3aStatus:Downloadednewerimageforaquasec/trivy:0.56.22024-10-17T08:59:48ZINFO [vulndb] Need to update DB2024-10-17T08:59:48ZINFO [vulndb] Downloading vulnerability DB...2024-10-17T08:59:48ZINFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"498.40KiB/54.30MiB [>____________________________________________________________] 0.90% ? p/s ?4.83 MiB / 54.30 MiB [----->_________________________________________________________] 8.90% ? p/s ?10.55 MiB / 54.30 MiB [----------->_________________________________________________] 19.43% ? p/s ?16.33 MiB / 54.30 MiB [-------------->_________________________________] 30.07% 26.40 MiB p/s ETA 1s22.16 MiB / 54.30 MiB [------------------->____________________________] 40.81% 26.40 MiB p/s ETA 1s28.11 MiB / 54.30 MiB [------------------------>_______________________] 51.77% 26.40 MiB p/s ETA 0s33.89 MiB / 54.30 MiB [----------------------------->__________________] 62.41% 26.59 MiB p/s ETA 0s39.74 MiB / 54.30 MiB [----------------------------------->____________] 73.18% 26.59 MiB p/s ETA 0s45.69 MiB / 54.30 MiB [---------------------------------------->_______] 84.14% 26.59 MiB p/s ETA 0s51.61 MiB / 54.30 MiB [--------------------------------------------->__] 95.04% 26.78 MiB p/s ETA 0s54.30 MiB / 54.30 MiB [---------------------------------------------->] 100.00% 26.78 MiB p/s ETA 0s54.30 MiB / 54.30 MiB [---------------------------------------------->] 100.00% 26.78 MiB p/s ETA 0s54.30 MiB / 54.30 MiB [---------------------------------------------->] 100.00% 25.34 MiB p/s ETA 0s54.30 MiB / 54.30 MiB [---------------------------------------------->] 100.00% 25.34 MiB p/s ETA 0s54.30 MiB / 54.30 MiB [---------------------------------------------->] 100.00% 25.34 MiB p/s ETA 0s54.30 MiB / 54.30 MiB [---------------------------------------------->] 100.00% 23.70 MiB p/s ETA 0s54.30 MiB / 54.30 MiB [---------------------------------------------->] 100.00% 23.70 MiB p/s ETA 0s54.30 MiB / 54.30 MiB [---------------------------------------------->] 100.00% 23.70 MiB p/s ETA 0s54.30 MiB / 54.30 MiB [---------------------------------------------->] 100.00% 22.17 MiB p/s ETA 0s54.30 MiB / 54.30 MiB [---------------------------------------------->] 100.00% 22.17 MiB p/s ETA 0s54.30 MiB / 54.30 MiB [---------------------------------------------->] 100.00% 22.17 MiB p/s ETA 0s54.30 MiB / 54.30 MiB [---------------------------------------------->] 100.00% 20.74 MiB p/s ETA 0s54.30 MiB / 54.30 MiB [---------------------------------------------->] 100.00% 20.74 MiB p/s ETA 0s54.30 MiB / 54.30 MiB [-------------------------------------------------] 100.00% 11.90 MiB p/s 4.8s2024-10-17T08:59:55Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"2024-10-17T08:59:55ZINFO [vuln] Vulnerability scanning is enabled2024-10-17T08:59:55ZINFO [secret] Secret scanning is enabled2024-10-17T08:59:55ZINFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning2024-10-17T08:59:55ZINFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection2024-10-17T09:00:00ZINFO [python] License acquired from METADATA classifiers may be subject to additional terms name="pip" version="19.0.3"2024-10-17T09:00:00ZINFO [python] License acquired from METADATA classifiers may be subject to additional terms name="setuptools" version="40.8.0"2024-10-17T09:00:00ZINFO [python] License acquired from METADATA classifiers may be subject to additional terms name="wheel" version="0.33.1"2024-10-17T09:00:02ZINFODetectedOSfamily="alpine"version="3.9.2"2024-10-17T09:00:02ZINFO [alpine] Detecting vulnerabilities... os_version="3.9" repository="3.9" pkg_num=282024-10-17T09:00:02ZINFONumberoflanguage-specificfilesnum=12024-10-17T09:00:02ZINFO [python-pkg] Detecting vulnerabilities...2024-10-17T09:00:02ZWARNThisOSversionisnolongersupportedbythedistributionfamily="alpine"version="3.9.2"2024-10-17T09:00:02ZWARNThevulnerabilitydetectionmaybeinsufficientbecausesecurityupdatesarenotprovided2024-10-17T09:00:02ZINFOTableresultincludesonlypackagefilenames.Use'--format json'optiontogetthefullpathtothepackagefile.python:3.4-alpine (alpine 3.9.2)================================Total:37 (UNKNOWN: 0,LOW:4,MEDIUM:16,HIGH:13,CRITICAL:4)┌──────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐│Library│Vulnerability│Severity│Status│InstalledVersion│FixedVersion│Title│├──────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤│expat│CVE-2018-20843│HIGH│fixed│2.2.6-r0│2.2.7-r0│expat:largenumberofcolonsininputmakesparserconsume││││││││highamount...││││││││https://avd.aquasec.com/nvd/cve-2018-20843││├────────────────┤││├───────────────┼──────────────────────────────────────────────────────────────┤││CVE-2019-15903││││2.2.7-r1│expat:heap-basedbufferover-readviacraftedXMLinput││││││││https://avd.aquasec.com/nvd/cve-2019-15903│├──────────────┼────────────────┼──────────┤├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤│libbz2│CVE-2019-12900│CRITICAL││1.0.6-r6│1.0.6-r7│bzip2:out-of-boundswriteinfunctionBZ2_decompress││││││││https://avd.aquasec.com/nvd/cve-2019-12900│├──────────────┼────────────────┼──────────┤├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤│libcrypto1.1│CVE-2019-1543│HIGH││1.1.1a-r1│1.1.1b-r1│openssl:ChaCha20-Poly1305withlongnonces││││││││https://avd.aquasec.com/nvd/cve-2019-1543││├────────────────┤││├───────────────┼──────────────────────────────────────────────────────────────┤││CVE-2020-1967││││1.1.1g-r0│openssl:SegmentationfaultinSSL_check_chaincausesdenial││││││││ofservice││││││││https://avd.aquasec.com/nvd/cve-2020-1967││├────────────────┤││├───────────────┼──────────────────────────────────────────────────────────────┤││CVE-2021-23840││││1.1.1j-r0│openssl:integeroverflowinCipherUpdate││││││││https://avd.aquasec.com/nvd/cve-2021-23840││├────────────────┤││├───────────────┼──────────────────────────────────────────────────────────────┤││CVE-2021-3450││││1.1.1k-r0│openssl:CAcertificatecheckbypasswith││││││││X509_V_FLAG_X509_STRICT││││││││https://avd.aquasec.com/nvd/cve-2021-3450││├────────────────┼──────────┤│├───────────────┼──────────────────────────────────────────────────────────────┤││CVE-2019-1547│MEDIUM│││1.1.1d-r0│openssl:side-channelweakencryptionvulnerability││││││││https://avd.aquasec.com/nvd/cve-2019-1547││├────────────────┤│││├──────────────────────────────────────────────────────────────┤││CVE-2019-1549│││││openssl:informationdisclosureinfork() ││││││││https://avd.aquasec.com/nvd/cve-2019-1549││├────────────────┤││├───────────────┼──────────────────────────────────────────────────────────────┤││CVE-2019-1551││││1.1.1d-r2│openssl:IntegeroverflowinRSAZmodularexponentiationon││││││││x86_64││││││││https://avd.aquasec.com/nvd/cve-2019-1551││├────────────────┤││├───────────────┼──────────────────────────────────────────────────────────────┤││CVE-2020-1971││││1.1.1i-r0│openssl:EDIPARTYNAMENULLpointerde-reference││││││││https://avd.aquasec.com/nvd/cve-2020-1971││├────────────────┤││├───────────────┼──────────────────────────────────────────────────────────────┤││CVE-2021-23841││││1.1.1j-r0│openssl:NULLpointerdereferencein││││││││X509_issuer_and_serial_hash() ││││││││https://avd.aquasec.com/nvd/cve-2021-23841││├────────────────┤││├───────────────┼──────────────────────────────────────────────────────────────┤││CVE-2021-3449││││1.1.1k-r0│openssl:NULLpointerdereferenceinsignature_algorithms││││││││processing││││││││https://avd.aquasec.com/nvd/cve-2021-3449││├────────────────┼──────────┤│├───────────────┼──────────────────────────────────────────────────────────────┤││CVE-2019-1563│LOW│││1.1.1d-r0│openssl:informationdisclosureinPKCS7_dataDecodeand││││││││CMS_decrypt_set1_pkey││││││││https://avd.aquasec.com/nvd/cve-2019-1563││├────────────────┤││├───────────────┼──────────────────────────────────────────────────────────────┤││CVE-2021-23839││││1.1.1j-r0│openssl:incorrectSSLv2rollbackprotection││││││││https://avd.aquasec.com/nvd/cve-2021-23839│├──────────────┼────────────────┼──────────┤│├───────────────┼──────────────────────────────────────────────────────────────┤│libssl1.1│CVE-2019-1543│HIGH│││1.1.1b-r1│openssl:ChaCha20-Poly1305withlongnonces││││││││https://avd.aquasec.com/nvd/cve-2019-1543││├────────────────┤││├───────────────┼──────────────────────────────────────────────────────────────┤││CVE-2020-1967││││1.1.1g-r0│openssl:SegmentationfaultinSSL_check_chaincausesdenial││││││││ofservice││││││││https://avd.aquasec.com/nvd/cve-2020-1967││├────────────────┤││├───────────────┼──────────────────────────────────────────────────────────────┤││CVE-2021-23840││││1.1.1j-r0│openssl:integeroverflowinCipherUpdate││││││││https://avd.aquasec.com/nvd/cve-2021-23840││├────────────────┤││├───────────────┼──────────────────────────────────────────────────────────────┤││CVE-2021-3450││││1.1.1k-r0│openssl:CAcertificatecheckbypasswith││││││││X509_V_FLAG_X509_STRICT││││││││https://avd.aquasec.com/nvd/cve-2021-3450││├────────────────┼──────────┤│├───────────────┼──────────────────────────────────────────────────────────────┤││CVE-2019-1547│MEDIUM│││1.1.1d-r0│openssl:side-channelweakencryptionvulnerability││││││││https://avd.aquasec.com/nvd/cve-2019-1547││├────────────────┤│││├──────────────────────────────────────────────────────────────┤││CVE-2019-1549│││││openssl:informationdisclosureinfork() ││││││││https://avd.aquasec.com/nvd/cve-2019-1549││├────────────────┤││├───────────────┼──────────────────────────────────────────────────────────────┤││CVE-2019-1551││││1.1.1d-r2│openssl:IntegeroverflowinRSAZmodularexponentiationon││││││││x86_64││││││││https://avd.aquasec.com/nvd/cve-2019-1551││├────────────────┤││├───────────────┼──────────────────────────────────────────────────────────────┤││CVE-2020-1971││││1.1.1i-r0│openssl:EDIPARTYNAMENULLpointerde-reference││││││││https://avd.aquasec.com/nvd/cve-2020-1971││├────────────────┤││├───────────────┼──────────────────────────────────────────────────────────────┤││CVE-2021-23841││││1.1.1j-r0│openssl:NULLpointerdereferencein││││││││X509_issuer_and_serial_hash() ││││││││https://avd.aquasec.com/nvd/cve-2021-23841││├────────────────┤││├───────────────┼──────────────────────────────────────────────────────────────┤││CVE-2021-3449││││1.1.1k-r0│openssl:NULLpointerdereferenceinsignature_algorithms││││││││processing││││││││https://avd.aquasec.com/nvd/cve-2021-3449││├────────────────┼──────────┤│├───────────────┼──────────────────────────────────────────────────────────────┤││CVE-2019-1563│LOW│││1.1.1d-r0│openssl:informationdisclosureinPKCS7_dataDecodeand││││││││CMS_decrypt_set1_pkey││││││││https://avd.aquasec.com/nvd/cve-2019-1563││├────────────────┤││├───────────────┼──────────────────────────────────────────────────────────────┤││CVE-2021-23839││││1.1.1j-r0│openssl:incorrectSSLv2rollbackprotection││││││││https://avd.aquasec.com/nvd/cve-2021-23839│├──────────────┼────────────────┼──────────┤├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤│musl│CVE-2019-14697│CRITICAL││1.1.20-r4│1.1.20-r5│musllibcthrough1.1.23hasanx87floating-pointstack││││││││adjustmentim......││││││││https://avd.aquasec.com/nvd/cve-2019-14697││├────────────────┼──────────┤│├───────────────┼──────────────────────────────────────────────────────────────┤││CVE-2020-28928│MEDIUM│││1.1.20-r6│Inmusllibcthrough1.2.1,wcsnrtombsmishandlesparticular││││││││combinati...││││││││https://avd.aquasec.com/nvd/cve-2020-28928│├──────────────┼────────────────┼──────────┤│├───────────────┼──────────────────────────────────────────────────────────────┤│musl-utils│CVE-2019-14697│CRITICAL│││1.1.20-r5│musllibcthrough1.1.23hasanx87floating-pointstack││││││││adjustmentim......││││││││https://avd.aquasec.com/nvd/cve-2019-14697││├────────────────┼──────────┤│├───────────────┼──────────────────────────────────────────────────────────────┤││CVE-2020-28928│MEDIUM│││1.1.20-r6│Inmusllibcthrough1.2.1,wcsnrtombsmishandlesparticular││││││││combinati...││││││││https://avd.aquasec.com/nvd/cve-2020-28928│├──────────────┼────────────────┼──────────┤├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤│sqlite-libs│CVE-2019-8457│CRITICAL││3.26.0-r3│3.28.0-r0│sqlite:heapout-of-boundreadinfunctionrtreenode() ││││││││https://avd.aquasec.com/nvd/cve-2019-8457││├────────────────┼──────────┤│├───────────────┼──────────────────────────────────────────────────────────────┤││CVE-2019-19244│HIGH│││3.28.0-r2│sqlite:allowsacrashifasub-selectusesbothDISTINCT││││││││andwindow...││││││││https://avd.aquasec.com/nvd/cve-2019-19244││├────────────────┤││├───────────────┼──────────────────────────────────────────────────────────────┤││CVE-2019-5018││││3.28.0-r0│sqlite:Use-after-freeinwindowfunctionleadingtoremote││││││││codeexecution││││││││https://avd.aquasec.com/nvd/cve-2019-5018││├────────────────┤││├───────────────┼──────────────────────────────────────────────────────────────┤││CVE-2020-11655││││3.28.0-r3│sqlite:malformedwindow-functionqueryleadstoDoS││││││││https://avd.aquasec.com/nvd/cve-2020-11655││├────────────────┼──────────┤│├───────────────┼──────────────────────────────────────────────────────────────┤││CVE-2019-16168│MEDIUM│││3.28.0-r1│sqlite:DivisionbyzeroinwhereLoopAddBtreeIndexin││││││││sqlite3.c││││││││https://avd.aquasec.com/nvd/cve-2019-16168││├────────────────┤││├───────────────┼──────────────────────────────────────────────────────────────┤││CVE-2019-19242││││3.28.0-r2│sqlite:SQLinjectioninsqlite3ExprCodeTargetinexpr.c││││││││https://avd.aquasec.com/nvd/cve-2019-19242│└──────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘Python (python-pkg)===================Total:6 (UNKNOWN: 0,LOW:0,MEDIUM:1,HIGH:5,CRITICAL:0)┌───────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐│Library│Vulnerability│Severity│Status│InstalledVersion│FixedVersion│Title│├───────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤│pip (METADATA) │ CVE-2019-20916 │ HIGH │ fixed │ 19.0.3 │ 19.2 │ python-pip: directory traversal in_download_http_url() ││ │ │ │ │ │ │ function in src/pip/_internal/download.py ││ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-20916 ││ ├────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤│ │ CVE-2021-3572 │ │ │ │ 21.1 │ python-pip: Incorrect handling of unicode separators in git ││ │ │ │ │ │ │ references ││ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-3572 ││ ├────────────────┼──────────┤ │ ├───────────────┼─────────────────────────────────────────────────────────────┤│ │ CVE-2023-5752 │ MEDIUM │ │ │ 23.3 │ pip: Mercurial configuration injectable in repo revision ││ │ │ │ │ │ │ when installing via pip ││ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-5752 │├───────────────────────┼────────────────┼──────────┤ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤│ setuptools (METADATA) │ CVE-2022-40897 │ HIGH │ │ 40.8.0 │ 65.5.1 │ pypa-setuptools: Regular Expression Denial of Service ││││││││ (ReDoS) in package_index.py ││││││││https://avd.aquasec.com/nvd/cve-2022-40897││├────────────────┤││├───────────────┼─────────────────────────────────────────────────────────────┤││CVE-2024-6345││││70.0.0│pypa/setuptools:Remotecodeexecutionviadownload││││││││functionsinthepackage_indexmodulein...││││││││https://avd.aquasec.com/nvd/cve-2024-6345│├───────────────────────┼────────────────┤│├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤│wheel (METADATA) │ CVE-2022-40898 │ │ │ 0.33.1 │ 0.38.1 │ python-wheel: remote attackers can cause denial of service ││││││││viaattackercontrolledinput...││││││││https://avd.aquasec.com/nvd/cve-2022-40898│└───────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
Use Trivy with Docker Desktop
This method will use Trivy with Docker Desktop on Windows, which will basically download the Trivy image to your computer, launch a container to scan other images.
The difference is that you can use the Docker Desktop interface without having to remember the command. The scan results are also more intuitive.
Open Docker Desktop and go to Extensions, type in the keyword aqua trivy and then click Install extension as shown in the image below.
Install the Trivy extension on Docker Desktop.
After installing the Trivy extension, click on Trivy on the left menu,
In the new window, there will be a box for you to select the Docker image on your computer, select the image to scan and click Scan image. Wait a few minutes for the scan to finish.
Use Trivy on Docker Desktop to scan Docker images.
Compared to using Docker command, using Trivy on Docker Desktop is much more convenient.
The results are very intuitive and full of information, you can click on each security vulnerability to see its information.
View Trivy’s scan results.
Conclusion
In this article, I have guided you through the installation and use of Trivy to scan for security vulnerabilities of Docker images locally. This is very necessary in the application development process.
The use of Docker has become popular in recent years, ensuring that application images are built securely is an indispensable requirement.
Scanning the image locally before deploying it to the environment will greatly reduce the effort to fix it later.
In addition, you can also integrate Trivy into the CI/CD pipeline so that it scans the image before uploading it to the registry and deploying it to the environment. I will guide you to do this in the next articles.
