Versions Compared

Old Version 1

changes.mady.by.user Umair Fayaz

Saved on

compared with

New Version 2

changes.mady.by.user Gurpreet Luthra

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Scanning Vulnerabilities, Secrets, Container Images, Kubernetes Cluster and Secrets with Trivy

Vulnerability Scanning with Trivy

Trivy scans for OS packages and software dependencies in use (SBOM), Known vulnerabilities (CVEs), IaC issues and misconfigurations, Sensitive information and secrets and Software licenses while doing a scan. Trivy supports various types of targets like Container Images, Filesystem, Git Repository (remote), Virtual Machine Image, Kubernetes and AWS.

Bahmni uses Trivy in the CI/CD Pipelines at various stages - from writing the code -> pushing it to GitHub -> building Images to when the code is running the Kubernetes Cluster

Filesystem Scan

To perform a Filesystem scan, Trivy must be installed on the system. Follow the installation steps here. Once installed, a filesystem scan can be performed by trivy fs <path-to-scan>. A Filesystem scans by default scans the files in your system for Vulnerabilities (language-specefic files) and Secrets.

Bahmni utilises Trivy’s Filesystem Scan feature for doing a Static Code Analysis and Secrets Scanning on some of the repositories so that whenever the Developers push their code, before the build happens, it goes through a scan to make sure that the code does not have any out-dated and vulnerable libraries or secrets. To see this in detail, check out the Secrets Scanning Section.

Container Image Scanning

To scan a container image with Trivy, simply specify an image name (and a tag).:

...

To make sure no vulnerabilities are being pushed to Dockerhub from our Images Bahmni has Trivy Scanning enabled at multiple steps in the pipelines. At first, when the code is pushed we perform a Filesystem scan that scans the files for Vulnerabilities and secrets. If Any Critical or High level Vulnerability is found the pipeline stops even before build and notifies the Developers about it. Another benefit is that the artifacts built from that code are also generated free from the Vulnerabilities. If the Filesystem scan succeeds, then after performing the build again a Trivy Image scan is performed. This time Trivy scans the layers of the container Images including the Base Image used. Checkout the example of such a pipeline here.

Kubernetes Cluster Scanning

Once the workloads are deployed to Kubernetes, Bahmni has set up automated, continual resource scanning of the running workloads. Scanning the running workloads becomes important because even if the Image scan was successful at the time of build and publish, after some time if the image is not updated some of the libraries or the base image can become vulnerable.

...

At the end of the scan, a slack notification is automatically sent to Bahmni’s #cicd-monitor channel. This is also customisable and can be replaced with any other notification service.

Secrets Scanning

Trivy, by default checks for Secrets like passwords, api keys, and tokens while performing a scan. The secret scanning works by using its built-in rules which allows it only report very sensitive secrets like AWS access keys, GCP service accounts, GitHub personal access tokens, GitLab personal access tokens, Slack access tokens etc. This is done to minimize false positives. Here is the full list of Trivy’s built in rules.

...