Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Simplify Cloud Native Security with Trivy

Simplify Cloud Native Security with Trivy

Trivy is now one tool for all cloud native scanning needs including source code, repositories, images, artifact registries, Infrastructure as Code (IaC) templates and Kubernetes environments. With fewer tools to manage, developers, DevOps and DevSecOps now have a more efficient, simplified tool to ensure security of their cloud native applications. They can integrate security into their workflows without having to leave their continuous integration or continuous deployment (CI/CD) environments. By integrating more cloud native scanning targets into Trivy, such as Kubernetes, Trivy is simplifying cloud native security.

Teppei Fukuda

August 05, 2022
Tweet

More Decks by Teppei Fukuda

Other Decks in Technology

Transcript

  1. © 2022 Aqua Security Software Ltd., All Rights Reserved Teppei

    Fukuda / August 5th, 2022 Simplify Cloud Native Security with Trivy CloudNative Security Conference 2022
  2. 4 App Infra Run Build Deploy Code CD Artifact registry

    Functions VMs Containers Cloud accounts Code (custom, 3rd party, OSS) Image IaC Git Orchestrator CI The Application Development Lifecycle
  3. 5 App Infra Run Build Deploy Code CD Artifact registry

    Functions VMs Containers Cloud accounts Code (custom, 3rd party, OSS) Image IaC Git Orchestrator CI Artifact Scanning Runtime
  4. 6 Cloud Native Application Protection Platforms (CNAPP) Dev Ops Sec

    Artifact Scanning Cloud Configuration Runtime Protection Gartner, Inc. Innovation Insight for Cloud-Native Application Protection Platforms SAST/DAST API scanning Secrets scanning Malware scanning Software Composition Analysis (SCA) Infrastructure as Code scanning Network Configuration and Security Policy Cloud Infrastructure Entitlements Mgmt Kubernetes Security Posture Management (KSPM) Cloud Security Posture Management (CSPM) Web Application and API Protection Application Monitoring Cloud Workload Protection Platform (CWPP) Network Segmentation Workload Vulnerability/Config
  5. 7 Dev Ops Sec Artifact Scanning Cloud Configuration Runtime Protection

    Gartner, Inc. Innovation Insight for Cloud-Native Application Protection Platforms Gitleaks gosec Open Source Security Tools
  6. 8 Dev Ops Sec Artifact Scanning Cloud Configuration Runtime Protection

    Gartner, Inc. Innovation Insight for Cloud-Native Application Protection Platforms Gitleaks gosec Open Source Security Tools Where to start…?
  7. 9 App Infra Run Build Deploy Code CD Artifact registry

    Functions VMs Containers Cloud accounts Code (custom, 3rd party, OSS) Image IaC Git Orchestrator CI Artifact Scanning Runtime
  8. 10 App Infra Run Build Deploy Code CD Artifact registry

    Functions VMs Containers Cloud accounts Code (custom, 3rd party, OSS) Image IaC Git Orchestrator CI Which stage to secure
  9. 11 Dev SCA IaC Scanning SAST/DAST Fuzzing Secrets Scanning Preventing

    security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying Scan cloud deployments for security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Network Configuration Workload Vulnerability/Config Harden your Deployment Security Operations AV EDR IDS/IPS/WAF Container / VMs / Server 
 Protection Visibility and protection for cloud native development Handle Attack
  10. 12 Dev SCA IaC Scanning SAST/DAST Fuzzing Secrets Scanning Preventing

    security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Build
  11. 13 Preventing vulnerable artifacts from deploying Scan cloud deployments for

    security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Workload Vulnerability/Config Harden your Deployment Dev SCA IaC Scanning SAST/DAST Fuzzing Secrets Scanning Preventing security from slowing down development Trust your Code Deploy
  12. 14 Dev SCA IaC Scanning SAST/DAST Fuzzing Secrets Scanning Preventing

    security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying Scan cloud deployments for security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Workload Vulnerability/Config Harden your Deployment Security Operations AV EDR IDS/IPS/WAF Container / VMs / Server 
 Protection Visibility and protection for cloud native deployments Handle Attack Attack Prevent Detect Block
  13. 15 Dev SCA IaC Scanning SAST/DAST Fuzzing Secrets Scanning Preventing

    security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying Scan cloud deployments for security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Workload Vulnerability/Config Harden your Deployment Security Operations AV EDR IDS/IPS/WAF Container / VMs / Server 
 Protection Visibility and protection for cloud native deployments Handle Attack Attack Deploy Build
  14. 16 Shifting Left High Low Priority Dev SCA IaC Scanning

    SAST/DAST Fuzzing Secrets Scanning Preventing security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying Scan cloud deployments for security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Workload Vulnerability/Config Harden your Deployment Security Operations AV EDR IDS/IPS/WAF Container / VMs / Server 
 Protection Visibility and protection for cloud native deployments Handle Attack
  15. 18 Invest early, save later Dev SCA IaC Scanning SAST/DAST

    Fuzzing Secrets Scanning Preventing security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying Scan cloud deployments for security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Workload Vulnerability/Config Harden your Deployment Security Operations AV EDR IDS/IPS/WAF Container / VMs / Server 
 Protection Visibility and protection for cloud native deployments Handle Attack Still too much
  16. 22 Start with Patch & Misconfiguration Scanning Dev SCA IaC

    Scanning SAST/DAST Fuzzing Secrets Scanning Preventing security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying Scan cloud deployments for security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Workload Vulnerability/Config Harden your Deployment Security Operations AV EDR IDS/IPS/WAF Container / VMs / Server 
 Protection Visibility and protection for cloud native deployments Handle Attack
  17. 23 What's Trivy? The Swiss Army Knife for Security Scanning

    • Started as a vulnerability scanner for container images • Joined Aqua Security in 2019 https://github.com/aquasecurity/trivy
  18. $ trivy fs ./myproject Pipfile.lock ============ Total: 9 (UNKNOWN: 1,

    LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0) +---------------------+------------------+----------+-------------------+------------------------+------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +---------------------+------------------+----------+-------------------+------------------------+------------------------------------+ | django | CVE-2020-7471 | HIGH | 2.0.9 | 3.0.3, 2.2.10, 1.11.28 | django: potential | | | | | | | SQL injection via | | | | | | | StringAgg(delimiter) | + +------------------+----------+ +------------------------+------------------------------------+ | | CVE-2019-19844 | MEDIUM | | 3.0.1, 2.2.9, 1.11.27 | Django: crafted email address | | | | | | | allows account takeover | +---------------------+------------------+----------+-------------------+------------------------+------------------------------------+ 27 Scan your project including a lock file with "filesystem" or "fs" subcommand Scan filesystem for vulnerabilities
  19. 28 Scan git repository $ trivy repo [REPOSITORY_URL] e.g. $

    trivy repo github.com/aquasecurity/tracee
  20. 33 Custom policies package user.kubernetes.ID001 import lib.result __rego_metadata__ := {

    "id": "ID001", "title": "Deployment not allowed", "severity": "LOW", "description": "Deployments are not allowed because of some reasons.", } __rego_input__ := { "selector": [ {"type": "kubernetes"}, ], } deny[res] { input.kind == "Deployment" msg := sprintf("Found deployment '%s' but deployments are not allowed", [input.metadata.name]) res := result.new(msg, input) } OPA/Rego
  21. 34 Dev SCA IaC Scanning SAST/DAST Fuzzing Secrets Scanning Preventing

    security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying Scan cloud deployments for security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Workload Vulnerability/Config Harden your Deployment Security Operations AV EDR IDS/IPS/WAF Container / VMs / Server 
 Protection Visibility and protection for cloud native deployments Handle Attack Build Developer Security
  22. 36 Scan container images for vulnerabilities Dev SCA IaC Scanning

    SAST/DAST Fuzzing Secrets Scanning Preventing security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying Scan cloud deployments for security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Workload Vulnerability/Config Harden your Deployment Security Operations AV EDR IDS/IPS/WAF Container / VMs / Server 
 Protection Visibility and protection for cloud native deployments Handle Attack
  23. 38 Example $ trivy image alpine:3.10.7 2021-07-13T18:16:52.490+0300 INFO Detected OS:

    alpine 2021-07-13T18:16:52.490+0300 INFO Detecting Alpine vulnerabilities... alpine:3.10.7 (alpine 3.10.7) ============================= Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0) +------------+------------------+----------+-------------------+---------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +------------+------------------+----------+-------------------+---------------+---------------------------------------+ | apk-tools | CVE-2021-30139 | HIGH | 2.10.4-r2 | 2.10.6-r0 | In Alpine Linux apk-tools | | | | | | | before 2.12.5, the tarball | | | | | | | parser allows a buffer... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-30139 | +------------+------------------+ +-------------------+---------------+---------------------------------------+ | busybox | CVE-2021-28831 | | 1.30.1-r4 | 1.30.1-r5 | busybox: invalid free or segmentation | | | | | | | fault via malformed gzip data | | | | | | | -->avd.aquasec.com/nvd/cve-2021-28831 | +------------+------------------+----------+-------------------+---------------+---------------------------------------+
  24. 39 • OS packages • Debian / Ubuntu • Red

    Hat Enterprise Linux / CentOS • Alpine Linux • Amazon Linux • Oracle Linux • openSUSE / SUSE Enterprise Linux • Photon OS • Google Distroless • AlmaLinux / Rocky Linux • CBL-Mariner • Language-specific packages • Ruby • PHP • Python • JavaScript / Node.js • Rust • Java • Go • .NET Detect comprehensive vulnerabilities
  25. 47 Key Takeaways Top Technical Breach Causes Dev SCA IaC

    Scanning SAST/DAST Fuzzing Secrets Scanning Preventing security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Invest early, save later
  26. 48 Hard-coded secrets scanning • AWS Access Key ID /

    Secret Access Key • GCP Service Account • GitHub Personal Access Token • Slack Access Token • etc.
  27. 50 Optimization FROM debian:8 RUN apt-get update COPY mysecret.txt /

    ENTRYPOINT ["entrypoint.sh"] CMD ["somecmd"] Secret scanning is quite slow No need to scan
  28. 51 License classification • Forbidden • Restricted • Reciprocal •

    Notice • Etc. https://opensource.google/documentation/reference/thirdparty/licenses
  29. 52 License scanning (compliance) $ trivy image --security-checks license --severity

    UNKNOWN,HIGH,CRITICAL alpine:3.15 2022-07-13T17:28:39.526+0300 INFO License scanning is enabled OS Packages (license) ===================== Total: 6 (UNKNOWN: 0, HIGH: 6, CRITICAL: 0) !"""""""""""""""""""#"""""""""#""""""""""""""""#""""""""""$ % Package % License % Classification % Severity % &"""""""""""""""""""'"""""""""'""""""""""""""""'""""""""""( % alpine-baselayout % GPL-2.0 % Restricted % HIGH % &"""""""""""""""""""( % % % % apk-tools % % % % &"""""""""""""""""""( % % % % busybox % % % % &"""""""""""""""""""( % % % % musl-utils % % % % &"""""""""""""""""""( % % % % scanelf % % % % &"""""""""""""""""""( % % % % ssl_client % % % % )"""""""""""""""""""*"""""""""*""""""""""""""""*""""""""""+
  30. 53 Extended license scanning $ trivy image --security-checks license --severity

    UNKNOWN,HIGH,CRITICAL --license-full grafana/grafana 2022-07-13T17:48:40.905+0300 INFO Full license scanning is enabled Loose File License(s) (license) =============================== Total: 6 (UNKNOWN: 4, HIGH: 0, CRITICAL: 2) !""""""""""""""""#""""""""""#""""""""""""""#""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""$ % Classification % Severity % License % File Location % &""""""""""""""""'""""""""""'""""""""""""""'""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""( % Forbidden % CRITICAL % AGPL-3.0 % /usr/share/grafana/LICENSE % % % % % % % % % % % &""""""""""""""""'""""""""""'""""""""""""""'""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""( % Non Standard % UNKNOWN % BSD-0-Clause % /usr/share/grafana/public/build/5069.d6aae9dd11d49c741a80.j- % % % % % s.LICENSE.txt % % % % &""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""( % % % % /usr/share/grafana/public/build/6444.d6aae9dd11d49c741a80.j- % % % % % s.LICENSE.txt % )""""""""""""""""*""""""""""*""""""""""""""*""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""+ Scan license files and file headers (--license-full)
  31. 54 Trivy covers more Dev SCA IaC Scanning SAST/DAST Fuzzing

    Secrets Scanning Preventing security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying Scan cloud deployments for security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Workload Vulnerability/Config Harden your Deployment Security Operations AV EDR IDS/IPS/WAF Container / VMs / Server 
 Protection Visibility and protection for cloud native deployments Handle Attack
  32. 55 Kubernetes cluster scanning # cluster scanning $ trivy k8s

    --report summary cluster # namespace scanning: $ trivy k8s -n kube-system --report summary all # resources scanning: $ trivy k8s deployment/orion
  33. 58 Trivy covers more and more Dev SCA IaC Scanning

    SAST/DAST Fuzzing Secrets Scanning Preventing security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying Scan cloud deployments for security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Workload Vulnerability/Config Harden your Deployment Security Operations AV EDR IDS/IPS/WAF Container / VMs / Server 
 Protection Visibility and protection for cloud native deployments Handle Attack
  34. 60

  35. 61

  36. Software Bill of Materials (SBOM) generation 63 Support three formats

    •CycloneDX (--format cyclonedx) •SPDX (--format spdx, --format spdx-json) •GitHub Dependency Snapshots (--format github) $ trivy image --format cyclonedx [YOUR_IMAGE] https://cyclonedx.org/ https://spdx.dev/ https://docs.github.com/en/rest/dependency-graph/dependency-submission
  37. SBOM scanning 64 $ trivy image --format cyclonedx --output alpine.cdx.json

    alpine:3.15 $ trivy sbom alpine.cdx.json alpine.cdx.json (alpine 3.7.1) ============================== Total: 3 (CRITICAL: 3) !"""""""""""""#""""""""""""""""#""""""""""#"""""""""""""""""""#"""""""""""""""#""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""$ % Library % Vulnerability % Severity % Installed Version % Fixed Version % Title % &"""""""""""""'""""""""""""""""'""""""""""'"""""""""""""""""""'"""""""""""""""'""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""( % curl % CVE-2018-14618 % CRITICAL % 7.61.0-r0 % 7.61.1-r0 % curl: NTLM password overflow via integer overflow % % % % % % % https://avd.aquasec.com/nvd/cve-2018-14618 % &"""""""""""""'""""""""""""""""'""""""""""'"""""""""""""""""""'"""""""""""""""'""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""( % libbz2 % CVE-2019-12900 % CRITICAL % 1.0.6-r6 % 1.0.6-r7 % bzip2: out-of-bounds write in function BZ2_decompress % % % % % % % https://avd.aquasec.com/nvd/cve-2019-12900 % &"""""""""""""'""""""""""""""""'""""""""""'"""""""""""""""""""'"""""""""""""""'""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""( % sqlite-libs % CVE-2019-8457 % CRITICAL % 3.21.0-r1 % 3.25.3-r1 % sqlite: heap out-of-bound read in function rtreenode() % % % % % % % https://avd.aquasec.com/nvd/cve-2019-8457 % )"""""""""""""*""""""""""""""""*""""""""""*"""""""""""""""""""*"""""""""""""""*""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""+
  38. Attestation 65 •Authenticated metadata about a set of software artifacts

    •Provenance •A container image with digest "sha256:87f7fe…" from git commit "f0c93d…" •SBOM •Formats •In-toto attestation { "payloadType": "application/vnd.in-toto+json", "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1l bnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwOi8vbXkuZ XhhbXBsZS5jb20vYXV0aG9yIiwic3ViamVjdCI6W3sibmFtZS I6ImluZGV4LmRvY2tlci5pby9vdG1zNjEvaGVsbG8tMSIsImR pZ2VzdCI6eyJzaGEyNTYiOiIyMGQzZjY5M2RjZmZhNDRkNmIy NGVhZTg4NzgzMzI0ZDI1Y2MxMzJjMjIwODlmNzBlNGZiZmI4N Tg2MjViMDYyIn19XSwicHJlZGljYXRlIjp7ImF1dGhvciI6In Nhc28ifX0=", "signatures": [ { "keyid": "", "sig": "MEQC++c7F1czPr...CKdBdjq+If/g67Q==" } ] } https://github.com/in-toto/attestation
  39. Trivy Operator 66 •Automated vulnerability scanning for Kubernetes workloads. •Automated

    configuration audits for Kubernetes resources with predefined rules or custom Open Policy Agent (OPA) policies. •Custom Resource Definitions and a Go module to work with and integrate a range of security scanners. •The Lens Extension that make security reports available through familiar Kubernetes interfaces.
  40. trivy.yaml 68 $ cat << EOS > trivy.yaml timeout: 20m

    format: json dependency-tree: true list-all-pkgs: true exit-code: 1 output: result.json severity: - HIGH - CRITICAL scan: security-checks: - vuln - secret vulnerability: ignore-unfixed: true EOS $ trivy image YOUR_IMAGE
  41. 69 Client/Server Server ᶃ Download vulnerability DB Client ᶄ Pull

    layers Cache ᶇ Store cache ᶅ Analyze ᶆ Send layer information ᶈ Respond vulnerabilities Container Registry
  42. 70 Open Policy Agent (OPA) Integration Rego --ignore-policy Detected Vulnerabilities

    OPA Result * EXPERIMENTAL feature KubeCon Europe 2020 https://static.sched.com/hosted_files/kccnceu20/e5/2020%3A08%20KubeCon%20Europe%202020.pdf
  43. 71 WebAssembly Module * EXPERIMENTAL feature $ trivy module install

    ghcr.io/ aquasecurity/trivy-module-spring4shell $ trivy image ghcr.io/aquasecurity/ trivy-test-images:spring4shell-jre8 OCI Registries Inspect Tomcat Configuration...
  44. 72 Audit Your Software Supply Chain for CIS Compliance •

    The CIS Software Supply Chain Security Guide • Aqua Security and the Center for Internet Security (CIS) collaborated • Provides more than 100 foundational recommendations • Support key emerging standards like Supply-chain Levels for Software Artifacts (SLSA) and The Update Framework (TUF). https://github.com/aquasecurity/chain-bench
  45. 73 Simplify Cloud Native Security with Trivy Covered by Dev

    SCA IaC Scanning SAST/DAST Fuzzing Secrets Scanning Preventing security from slowing down development Trust your Code Preventing vulnerable artifacts from deploying Scan cloud deployments for security issues like misconfigurations DevOps / DevSecOps Container Image Scanning - Vulnerabilities - Secrets - Malware, etc. Supply Chain Security Secure your Artifact Infrastructure / Cloud / Security CSPM KSPM Workload Vulnerability/Config Harden your Deployment Security Operations AV EDR IDS/IPS/WAF Container / VMs / Server 
 Protection Visibility and protection for cloud native deployments Handle Attack