使用 trivy 扫描 Docker 镜像、K8S 集群的安全漏洞

trivy Docker Kubernetes About 4,386 words

描述

Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets

漏洞扫描:容器镜像、文件系统、Git仓库、配置问题、硬编码密钥。

Ubuntu

安装包下载地址

https://github.com/aquasecurity/trivy/releases/download/v0.28.1/trivy_0.28.1_Linux-64bit.deb

安装软件

dpkg -i trivy_0.28.1_Linux-64bit.deb

CentOS

安装包下载地址

https://github.com/aquasecurity/trivy/releases/download/v0.28.1/trivy_0.28.1_Linux-64bit.rpm

安装软件

rpm -i trivy_0.28.1_Linux-64bit.rpm

Docker

docker pull aquasec/trivy:0.28.1

使用

扫描 Docker 镜像

myapp2Docker镜像,由openjdk:11-oraclelinux8Spring Boot 2.6.7构建的镜像。

trivy image myapp2 > result.txt

扫描 Rootfs

root filesystem包括:宿主机、虚拟机镜像文件、未解压的容器镜像文件系统。

trivy rootfs /path/to/rootfs

扫描本地文件

trivy fs /path/to/project

扫描 Git 远程仓库

备注:本地仓库可以直接使用trivy fs

trivy repo https://github.com/fendoudebb/learning

扫描 K8S

trivy k8s minikube

输出示例

2022-06-05T19:57:42.874+0800    INFO    Detected OS: alpine
2022-06-05T19:57:42.875+0800    INFO    Detecting Alpine vulnerabilities...
2022-06-05T19:57:42.878+0800    INFO    Number of language-specific files: 0

nginx:1.21.6-alpine (alpine 3.15.4)
===================================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

┌──────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────┐
│ Library  │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                   Title                    │
├──────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────┤
│ freetype │ CVE-2022-27405 │ HIGH     │ 2.11.1-r1         │ 2.11.1-r2     │ FreeType: Segementation Fault              │
│          │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-27405 │
│          ├────────────────┤          │                   │               ├────────────────────────────────────────────┤
│          │ CVE-2022-27406 │          │                   │               │ Freetype: Segmentation violation           │
│          │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-27406 │
└──────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────┘

Java (jar)
==========
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌───────────────────────────────────────────┬────────────────┬──────────┬───────────────────┬────────────────────────┬───────────────────────────────────────────────────────────┐
│                  Library                  │ Vulnerability  │ Severity │ Installed Version │     Fixed Version      │                           Title                           │
├───────────────────────────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────┼───────────────────────────────────────────────────────────┤
│ org.springframework:spring-core (app.jar) │ CVE-2022-22970 │ HIGH     │ 5.3.19            │ 5.3.20, 5.2.22.RELEASE │ springframework: DoS via data binding to multipartFile or │
│                                           │                │          │                   │                        │ servlet part                                              │
│                                           │                │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2022-22970                │
├───────────────────────────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────┼───────────────────────────────────────────────────────────┤
│ org.springframework:spring-core (app.jar) │ CVE-2022-22971 │ MEDIUM   │ 5.3.19            │ 5.2.22.RELEASE, 5.3.20 │ springframework: DoS with STOMP over WebSocket            │
│                                           │                │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2022-22971                │
└───────────────────────────────────────────┴────────────────┴──────────┴───────────────────┴────────────────────────┴───────────────────────────────────────────────────────────┘

官方文档

https://aquasecurity.github.io/trivy/v0.28.1

开源地址

https://github.com/aquasecurity/trivy

漏洞数据库地址

https://github.com/aquasecurity/trivy-db/pkgs/container/trivy-db

Views: 2,335 · Posted: 2022-08-13

————        END        ————

Give me a Star, Thanks:)

https://github.com/fendoudebb/LiteNote

扫描下方二维码关注公众号和小程序↓↓↓

扫描下方二维码关注公众号和小程序↓↓↓


Today On History
Browsing Refresh