How do I scan Docker images for vulnerabilities in the Azure DevOps CI/CD pipeline?
To provide security to our applications Trivy the docker image scanner tool has been integrated with the Azure CI pipeline or with GitHub actions. This will scan the image and provide the vulnerabilities present in the container image with the level of severity (low, medium, high, and critical).
Containerization is a modern practice used by software development teams as the DevOps culture continues to grow in popularity. Most of these environments benefit from the rich features provided by containerization such as scalability, portability, and process isolation.
However, it is essential to consider “how secure” a software is before shipping it to your clients. When creating container images as your releases, the heavy use of third-party and outdated libraries means you run the risk of introducing added vulnerabilities to the images you ship. As such, there is a need for a reliable way of scanning container images. This is where Trivy comes in handy.
Table of Contents
- What is Trivy?
- Is Trivy free?
- How to integrate Trivy into an existing Azure DevOps CI pipeline
What is Trivy?
Trivy is an easy-to-use, fast, and comprehensive open-source tool DevOps and security teams use for vulnerability and infrastructure as code (IaC) scanning of containers and artifacts. Maintained by Aquasecurity, Trivy:
Works with containers, file systems, or even git repositories.
Is easy to install with no prerequisites, such as installing a database.
It is fast to run because there is no database involved.
It fits the DevSecOps methodology as it can be integrated into CI systems (Azure Pipelines, or GitHub Actions).
Is Trivy Free?
Yes, Trivy is 100% free since it is an open-source project. Aqua, the team behind Trivy, is committed to ensuring this project remains open-source since it guarantees the maintenance of high-quality code and participation in other open-source projects.
How to integrate to Azure DevOps Pipelines?
Installation script in the pipeline.
To install the trivy tool in the CI pipeline we must run the below script.
Installing trivy is easy and simple. You can use the latest binary release from Trivy’s official GitHub repo.
https://github.com/aquasecurity/trivy/releases
Command : curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s — -b /usr/local/bin
Install in Azure DevOps pipeline as a step.
command: trivy –version
Output of Trivy
We can Export results to external user interfaces in various formats, such as JUnit XML, SARIF, and AWS Security Finding Format (ASFF). The output of the results is as below:
