name: build
on:
push:
branches:
- main
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Build an image from Dockerfile
run: |
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-[email protected]
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
trivy-action
Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities
Integrating Trivy into our CI pipeline will be high-impact concerning our security measures. Trivia will contribute to identifying vulnerabilities at an early stage of the development process. Trivy supports different scanning modes and is relatively straightforward to integrate with the security features of GitHub, thus providing comprehensive and automated vulnerability detection.
Potential Benefit
With Trivy added to our CI workflows, codebase and dependencies can be scanned for the most common and critical vulnerabilities, making it a proactive approach in terms of security. Security risks are mitigated, best practices are adhered to, and a safe development environment is achieved. This will also ensure that issues found can be quickly and easily reported and managed within one of the many security features that GitHub provides.
ow can we implement Trivy with basic configuration?
- Steps to Implement:
- Code checkout:
actions/checkout@v3. - Execute Trivy with access to the Filesystem: Update the
aquasecurity/[email protected]action to havescan-type: 'fs'and refer to thetrivy.yamlconfiguration.
- Code checkout:
- Configuration Example:
name: build
on:
push:
branches:
- head
pull_request:
jobs:
build:
runs-on: ubuntu-20.04
steps:
- name: Check-out code
uses: actions/checkout@v3
- name: Execute Trivy Vulnerability Scanner in file system mode
uses: aquasecurity/trivy-[email protected]
with:
scan-type: 'fs'
scan-ref: '.'
trivy-config: trivy.yaml - Comments: This setup provides some integration of Trivy to scan on the file system, hence taking care of scanning our codebase for vulnerabilities.
How to Scan a Tarball Using Trivy?
-
Steps for Integrating:
- Generate Tarball: Use the docker commands to generate a tarball from an image.
- Run Trivy in Tarball Mode: Set up Trivy in a way that examines the built tarball.
name: build
on:
push:
branches:
- main
pull_request:
jobs:
build:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Create tarball from image
run: |
docker pull <your-docker-image>
docker save -o vuln-image.tar <your-docker-image>
- name: Run Trivy vulnerability scanner in tarball mode
uses: aquasecurity/trivy-[email protected]
with:
input: /github/workspace/vuln-image.tar
severity: 'CRITICAL,HIGH'
This method is pretty usable for scanning docker images saved as tarballs and provides the vulnerability detection capability before image deployment.
How to Use Trivy with GitHub Code Scanning?
- Steps to Implement:
- Create Docker Images and Scan: Build the images, scan them with Trivy, and then push the results to the Security tab of GitHub.
- Example of Configuration:
name: build
on:
push:
branches:
- main
pull_request:
jobs:
build:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Create a Docker image from a Dockerfile
run: |
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run the Trivy vulnerability scanner
uses: aquasecurity/trivy-[email protected]
with:
image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Scan using Trivy and upload results to the GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
Integrating Trivy in GitHub Code Scanning leverages security features on GitHub in comprehensive vulnerability detection and management.
How to Scan Repositories and IaC with Trivy?
- Steps to make Integration:
- Run Trivy in Repo Mode: This tells Trivy to scan your repository.
- Run Trivy for IaC: Configure Trivy to scan Infrastructure as Code configurations.
- Sample Configuration:
name: build
on:
push:
branches:
- main
pull_request:
jobs:
build:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-[email protected]
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL'
- name: Report Trivy scan results to Github Security Tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
This is taking out our repositories and IaC from the moment they are created and scanning them to identify possible problems at the earliest achievable stage.
How do you generate a SBOM with Trivy?
-
Steps toward integration:
- Generate and Submit SBOM: Create a Software Bill of Materials and submit it to GitHub Dependency Graph.
name: Pull Request
on:
push:
branches:
- main
permissions:
contents: write
jobs:
build:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
uses: aquasecurity/trivy-[email protected]
with:
scan-type: 'fs'
format: 'github'
output: 'dependency-results.sbom.json'
image-ref: '.'
github-pat: ${{ secrets.GITHUB_TOKEN }}
With this, we can generate and submit SBOMs with Trivy to get profound insight into your dependencies so you can effectively manage and secure them.
Conclusion
Introducing Trivy into our CI pipeline will scan many vulnerabilities that could exist in various assets, such as Docker images, filesystems, repositories, and IaC. By taking advantage of the features of Trivy, our security standpoints will be solidified towards the best security practices and compliance at any stage of development.