Trivy is a simple and comprehensive vulnerability scanner that you can integrate into your CI/CD pipeline to scan container images for vulnerabilities.
Here’s how to set up Trivy to scan your container images in Jenkins:
First, you need to install Trivy on your Jenkins agent. You can do this manually by downloading the binary or, more practically, by using a Jenkins pipeline step.
pipeline {
agent any
stages {
stage('Install Trivy') {
steps {
sh '''
if ! command -v trivy &> /dev/null
then
echo "Trivy not found, downloading and installing..."
wget https://github.com/aquasecurity/trivy/releases/download/v0.48.3/trivy_0.48.3_Linux-64bit.tar.gz -O trivy.tar.gz
tar zxvf trivy.tar.gz
sudo mv trivy /usr/local/bin/
rm trivy.tar.gz
echo "Trivy installed successfully."
else
echo "Trivy already installed."
fi
'''
}
}
// ... rest of the pipeline
}
}
Next, in your Jenkinsfile, after you’ve built your Docker image, you can add a stage to scan it. Trivy can scan an image directly by its name or by pulling it from a registry.
pipeline {
agent any
stages {
stage('Install Trivy') {
// ... (previous installation steps)
}
stage('Build Docker Image') {
steps {
script {
// Assuming you have a Dockerfile in your workspace
sh 'docker build -t my-app:latest .'
}
}
}
stage('Scan Image with Trivy') {
steps {
sh 'trivy image --severity HIGH,CRITICAL --exit-code 1 my-app:latest'
}
}
}
}
In this Scan Image with Trivy stage, trivy image --severity HIGH,CRITICAL --exit-code 1 my-app:latest does the following:
trivy image: Tells Trivy to scan a container image.--severity HIGH,CRITICAL: Filters the results to only report vulnerabilities of severity HIGH or CRITICAL. This is a common practice to focus on the most impactful issues.--exit-code 1: This is crucial for CI/CD. If Trivy finds any vulnerabilities matching the severity filter, it will exit with a non-zero status code (in this case, 1), causing the Jenkins build to fail. This prevents vulnerable images from proceeding in your pipeline.my-app:latest: This is the name of the Docker image you want to scan.
You can also configure Trivy to output results in different formats, such as JSON, for easier parsing or reporting.
pipeline {
agent any
stages {
// ... (previous stages)
stage('Scan Image with Trivy (JSON Output)') {
steps {
sh 'trivy image --severity HIGH,CRITICAL --format json --output trivy-results.json my-app:latest'
// You can then archive the results or process them further
archiveArtifacts artifacts: 'trivy-results.json', fingerprint: true
}
}
}
}
Here, --format json directs Trivy to output the scan results as JSON, and --output trivy-results.json saves it to a file. The archiveArtifacts step makes this report available for download from the Jenkins build page.
Trivy supports scanning various components within an image, including OS packages, application dependencies (like npm, pip, Maven, etc.), and IaC configurations. You can specify different targets if needed, but for a standard container image scan, trivy image is usually sufficient.
To get the most out of Trivy, ensure your Jenkins agents have access to the internet to download vulnerability databases. Trivy automatically updates its databases periodically, but you can also force an update using trivy image --download-db-only.
The most surprising thing about Trivy integration is how little configuration is actually needed to get meaningful results; it’s designed for immediate utility.
By default, Trivy downloads its vulnerability databases when it first runs. If you are in an environment with strict outbound network policies, you might need to pre-download the database or configure Trivy to use a local mirror.
The next step in securing your container images would be to explore Trivy’s configuration scanning capabilities for tools like Dockerfiles, Kubernetes manifests, or Terraform files.