Enhancing Container Image Security in Razorops CI/CD Pipeline with Trivy Vulnerability Scanning

Created by Saurabh Singh Singh Yadav, Modified on Fri, 30 Jun, 2023 at 1:56 AM by Saurabh Singh Singh Yadav


Table of content:

  1. Introduction

  2. Prerequisites

  3. What is Trivy?

  4. Understanding .razorops.yaml

Introduction:

Container image vulnerability scanning is a critical aspect of modern CI/CD pipelines. By detecting potential security risks, we can ensure the safety of our applications. In this article, we will explore how to seamlessly integrate Trivy, a powerful vulnerability scanner, into the Razorops CI/CD platform for automated image scanning.

Why do we need vulnerability scanning of container images?

Containerization has revolutionized software development and deployment by providing a lightweight and scalable solution. However, it also introduces potential security risks. Container images, which serve as the foundation for running applications, can contain vulnerabilities that can be exploited by attackers.

Here are a few reasons why vulnerability scanning of container images is crucial:

  • Identify Security Risks: Vulnerability scanners like Trivy analyze container images to detect security vulnerabilities, outdated libraries, and misconfigurations. By uncovering these risks early on, developers can take proactive measures to mitigate them.

  • Protect Against Attacks: Vulnerabilities in container images can be exploited to gain unauthorized access, execute malicious code, or disrupt application functionality. By scanning and addressing vulnerabilities, we fortify our applications and protect sensitive data.

  • Compliance and Audit Requirements: Many industries have specific compliance regulations that mandate regular security assessments. Vulnerability scanning helps ensure compliance with these standards and provides evidence for audits.

  • Maintain Trust and Reputation: In today's digital landscape, users expect their data to be handled securely. By conducting thorough vulnerability scans, organizations demonstrate their commitment to security, maintain user trust, and safeguard their reputation.


Prerequisites:

  1. Project Setup:

    • Fork the repository code from this link: GitHub Link.

    • If you have another project already automated in Razorops, you can use that as well.

  2. Razorops Account:

    • To create your pipeline for the forked project, you will need an account on Razorops.

    • Sign up for an account at Razorops Sign Up.

    • If you need assistance in creating a pipeline in Razorops, refer to this guide: Pipeline Creation Guide.

  3. Docker Hub Account:

    • You will need a Docker Hub account where you can push your Docker images.

    • Sign up for a Docker Hub account at Docker Hub.

  4. Familiarity with YAML and .razorops.yaml:

    • You should have a basic understanding of YAML files and the structure of the .razorops.yaml file.

    • The .razorops.yaml file is placed in your project and is used to configure the Razorops pipeline.

    • We will modify this file in our project to enable the container image scanning.

    • Refer to the Razorops Documentation for a guide on the .razorops.yaml file.



As the article states, we will be using Trivy for scanning the docker images so lets learn a little bit about Trivy first before we use it.


What is Trivy?


Trivy is an open-source container vulnerability scanner that quickly detects vulnerabilities and misconfigurations in container images. Its key features include:

  1. Fast Scanning: Trivy provides rapid vulnerability assessments during container development and deployment processes.

  2. Comprehensive Coverage: It analyzes container images against an extensive vulnerability database, including CVEs and OS package vulnerabilities.

  3. Easy Integration: Trivy seamlessly integrates with popular container tools, such as Docker and Kubernetes, and supports various container image formats.

  4. Layered Analysis: It performs granular vulnerability scans at each layer of a container image, facilitating efficient remediation.

  5. Multi-Platform Support: Trivy works with different container platforms and programming languages commonly used in containers.

  6. Configurable Severity Levels: It categorizes vulnerabilities into severity levels, allowing you to prioritize remediation efforts based on risk.

  7. Remediation Recommendations: Trivy offers actionable insights and references to official vulnerability databases for effective vulnerability mitigation.


Understanding .razorops.yaml

To scan any container/docker image present on your local machine, you can directly use trivy through the console with the following command:

trivy image [YOUR_IMAGE_NAME]

However, our objective is to continuously scan the image whenever a new image is built in our CI/CD pipeline. To achieve this, we can incorporate the trivy CLI into our CI/CD tooling.

Let's take a look at our .razorops.yaml file, which can be found at the root of the repository. 


tasks:
 build:
   steps:
   - checkout
   - docker/build:
      image: 
saurabh3460/todo-app
      tags: 
["${CI_COMMIT_SHA}", "latest"]
      dockerfile: 
server/Dockerfile
      context: 
server
   - commands:
     - |
         wget https://github.com/aquasecurity/trivy/releases/download/v0.42.1/trivy_0.42.1_Linux-64bit.deb
         sudo dpkg -i trivy_0.42.1_Linux-64bit.deb
         trivy image --format template --template "@junit.tpl" -o junit_report.xml  saurabh3460/todo-app1:latest
   - reports/junit:
       paths: ["junit_report.xml"]


Here is a step-by-step explanation of what the pipeline does:


  1. Checkout: This step retrieves the source code from the repository.

  2. Docker Build: This step builds a Docker image using the specified Dockerfile (server/Dockerfile) and the context directory (server). The resulting image is tagged with two tags: ${CI_COMMIT_SHA}, which represents the commit SHA, and "latest".

  3. Commands: This step contains our main step to scan the image and generate report in xml format

    1. The first command downloads the trivy package (trivy_0.42.1_Linux-64bit.deb) using wget.

    2. The second command installs the downloaded trivy package using dpkg.

    3. The third command runs trivy to scan the Docker image saurabh3460/todo-app1:latest. It uses a specific template file (@junit.tpl) to format the output, and the resulting JUnit report is saved as junit_report.xml.
      We can also set the severity level using this parameter --severity HIGH,CRITICAL so we will only see high and critical vulnerabilities.

      4. Reports/JUnit: This step collects the generated JUnit report (junit_report.xml) and specifies it for further processing.



Once report is uploaded to razorops we can see Junit Reports under Insights section of pipeline as follows:



In the report we can see a chart which shows vulnerability scanning tests and below with a detail section which tells us which vulnerabilities exist at which Severity Levels (Critical, High, Medium, Low).


Conclusion:


The implementation of container image vulnerability scanning enhances the security of applications and helps maintain compliance and user trust. By leveraging Trivy within the Razorops CI/CD pipeline, developers can automate the scanning process and identify vulnerabilities early on.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons

Feedback sent

We appreciate your effort and will try to fix the article