使用 trivy 扫描 Docker 镜像、K8S 集群的安全漏洞
trivy Docker Kubernetes About 4,386 words描述
Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets
漏洞扫描:容器镜像、文件系统、Git仓库、配置问题、硬编码密钥。
Ubuntu
安装包下载地址
https://github.com/aquasecurity/trivy/releases/download/v0.28.1/trivy_0.28.1_Linux-64bit.deb
安装软件
dpkg -i trivy_0.28.1_Linux-64bit.debCentOS
安装包下载地址
https://github.com/aquasecurity/trivy/releases/download/v0.28.1/trivy_0.28.1_Linux-64bit.rpm
安装软件
rpm -i trivy_0.28.1_Linux-64bit.rpmDocker
docker pull aquasec/trivy:0.28.1使用
扫描 Docker 镜像
myapp2是Docker镜像,由openjdk:11-oraclelinux8和Spring Boot 2.6.7构建的镜像。
trivy image myapp2 > result.txt扫描 Rootfs
root filesystem包括:宿主机、虚拟机镜像文件、未解压的容器镜像文件系统。
trivy rootfs /path/to/rootfs扫描本地文件
trivy fs /path/to/project扫描 Git 远程仓库
备注:本地仓库可以直接使用trivy fs
trivy repo https://github.com/fendoudebb/learning扫描 K8S
trivy k8s minikube输出示例
2022-06-05T19:57:42.874+0800 [34mINFO[0m Detected OS: alpine
2022-06-05T19:57:42.875+0800 [34mINFO[0m Detecting Alpine vulnerabilities...
2022-06-05T19:57:42.878+0800 [34mINFO[0m Number of language-specific files: 0
nginx:1.21.6-alpine (alpine 3.15.4)
===================================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)
┌──────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────┤
│ freetype │ CVE-2022-27405 │ HIGH │ 2.11.1-r1 │ 2.11.1-r2 │ FreeType: Segementation Fault │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-27405 │
│ ├────────────────┤ │ │ ├────────────────────────────────────────────┤
│ │ CVE-2022-27406 │ │ │ │ Freetype: Segmentation violation │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-27406 │
└──────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────┘
Java (jar)
==========
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)
┌───────────────────────────────────────────┬────────────────┬──────────┬───────────────────┬────────────────────────┬───────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├───────────────────────────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────┼───────────────────────────────────────────────────────────┤
│ org.springframework:spring-core (app.jar) │ CVE-2022-22970 │ HIGH │ 5.3.19 │ 5.3.20, 5.2.22.RELEASE │ springframework: DoS via data binding to multipartFile or │
│ │ │ │ │ │ servlet part │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-22970 │
├───────────────────────────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────────┼───────────────────────────────────────────────────────────┤
│ org.springframework:spring-core (app.jar) │ CVE-2022-22971 │ MEDIUM │ 5.3.19 │ 5.2.22.RELEASE, 5.3.20 │ springframework: DoS with STOMP over WebSocket │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-22971 │
└───────────────────────────────────────────┴────────────────┴──────────┴───────────────────┴────────────────────────┴───────────────────────────────────────────────────────────┘官方文档
https://aquasecurity.github.io/trivy/v0.28.1
开源地址
https://github.com/aquasecurity/trivy
漏洞数据库地址
https://github.com/aquasecurity/trivy-db/pkgs/container/trivy-db
———— END ————
Give me a Star, Thanks:)
https://github.com/fendoudebb/LiteNote扫描下方二维码关注公众号和小程序↓↓↓
