All-In-One Open Source Security Scanner | Docker Image Analysis with Trivy
Summary
TLDRThis video from the Blue Team Training series explores Docker image analysis with Trivy, emphasizing the importance of vulnerability scanning for container security. It introduces Trivy, a tool for scanning images, file systems, and Git repositories for vulnerabilities and misconfigurations. The tutorial demonstrates how to use Trivy to identify and address security issues in Docker images, showcasing its capabilities through practical examples and emphasizing the significance of incorporating vulnerability scanning into Docker workflows.
Takeaways
- 🔍 Vulnerability scanning for Docker images is crucial for identifying security risks in packages used in Docker images.
- 🛠️ Trivi is a comprehensive tool for scanning Docker images, file systems, and Git repositories for vulnerabilities and configuration issues.
- 📋 The process involves understanding the importance of vulnerability scanning, an introduction to Trivi, and a practical demonstration of scanning Docker images with Trivi.
- 🐳 Docker containers are created from Docker images, which are defined by Dockerfiles that specify the packages and configurations used.
- ⚠️ Vulnerabilities in the packages used in Docker images can lead to potential exploitation by attackers.
- 🔧 It is important to scan Docker images for vulnerabilities before deploying them to ensure the security of the containerized applications.
- 🔒 Trivi can also scan Infrastructure as Code (IaC) files like Terraform, Dockerfiles, and Kubernetes configurations for potential issues.
- 💾 A practical demonstration shows how to set up and use Trivi on an Ubuntu server with Docker installed to scan for vulnerabilities.
- 📊 Trivi outputs detailed information on detected vulnerabilities, including severity, affected packages, and fixed versions.
- 🛡️ Regularly scanning and updating Docker images based on Trivi's findings helps maintain secure container environments.
Q & A
What is the main focus of the video?
-The main focus of the video is Docker image analysis with Trivy, specifically scanning Docker images for vulnerabilities and misconfigurations.
Why is vulnerability scanning for Docker images important?
-Vulnerability scanning for Docker images is important because it helps identify security vulnerabilities in the packages used within a Docker image, preventing potential exploitation by attackers and ensuring container security.
What are the prerequisites for using Trivy as demonstrated in the video?
-The prerequisites for using Trivy include basic familiarity with Docker and Docker CLI commands, as well as familiarity with Linux and various command line utilities.
What is Trivy and what can it be used for?
-Trivy is a tool for scanning vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues. It can be used to scan infrastructure as code (IaC) files such as Terraform, Dockerfile, and Kubernetes to detect potential configuration issues.
How does Trivy help with Docker security?
-Trivy helps with Docker security by scanning Docker images for vulnerabilities and misconfigurations, allowing users to identify and fix issues before deploying or running the images.
What is the significance of scanning Docker images before deployment?
-Scanning Docker images before deployment is significant because it allows detection of vulnerabilities that could be exploited by attackers, ensuring that the images are as secure as possible before they are used in production environments.
What does the video demonstrate in terms of practical application of Trivy?
-The video demonstrates a practical application of Trivy by showing how to scan Docker images for vulnerabilities and misconfigurations, including pulling the Trivy Docker image, running scans on specific images, and interpreting the results.
What is the Shell Shock vulnerability mentioned in the video?
-The Shell Shock vulnerability is a family of security bugs in the Unix Bash shell, which allows attackers to remotely execute arbitrary commands. It was first disclosed in September 2014 and is considered critical due to its potential for remote exploitation.
How does Trivy categorize vulnerabilities in its scan results?
-Trivy categorizes vulnerabilities in its scan results based on their severity, which can include low, medium, high, and critical levels.
What is the next topic covered in the series after Docker image analysis with Trivy?
-The next topic covered in the series is incident response with FireEye Redline, a tool developed by FireEye for incident response and digital forensics.
Outlines
🛡️ Docker Image Security with Trivi
This paragraph introduces a training series on Docker image analysis using Trivi, a vulnerability scanner. It emphasizes the importance of scanning Docker images for security vulnerabilities before deployment. The video will cover the basics of why vulnerability scanning is essential, provide an introduction to Trivi, and demonstrate how to scan images for vulnerabilities and misconfigurations. The prerequisites for the tutorial include familiarity with Docker, its CLI commands, and Linux command line utilities. The paragraph also mentions a Docker security series for beginners and highlights the need for security measures in Docker images to prevent potential exploitation by attackers.
🔍 Practical Demonstration of Trivi for Docker Image Scanning
The speaker begins a practical demonstration of using Trivi to scan Docker images for vulnerabilities and misconfigurations. They set up a server on Linode with Docker pre-installed and proceed to explain the process of scanning. The paragraph details the installation of the Trivi binary and how to use the Trivi Docker image to scan for vulnerabilities in OS packages. The speaker also discusses the features of Trivi, including its ability to scan for misconfigurations in IAC files such as Dockerfiles and Kubernetes configurations. The demonstration includes an attempt to scan a specific Docker image for vulnerabilities, showcasing the process and the output of the scan.
📝 Scanning Docker Images with Trivi: A Step-by-Step Guide
This paragraph continues the practical demonstration by explaining the steps to scan Docker images using Trivi. The speaker clarifies the need to pull the Docker image locally before scanning and demonstrates the command to run Trivi for scanning an image. They encounter a minor issue with the command syntax but quickly resolve it and successfully scan the Ubuntu 18.04 image, displaying the vulnerabilities found, sorted by severity. The output includes details such as the affected package, vulnerability ID, severity, installed version, fixed version, and the title of the vulnerability.
🚨 Identifying High-Severity Vulnerabilities in Docker Images
The speaker continues to demonstrate the use of Trivi by scanning another Docker image, this time focusing on high-severity vulnerabilities. They show how to identify and list vulnerabilities, including a critical Shell Shock vulnerability in the bash package. The paragraph highlights the risks associated with running vulnerable Docker containers and the importance of addressing these vulnerabilities to secure the container infrastructure. The demonstration includes scanning multiple images and discussing the implications of the findings.
🔚 Conclusion and Preview of Incident Response with FireEye Redline
The final paragraph concludes the practical demonstration on Docker image scanning with Trivi and previews the next topic in the series, which is incident response with FireEye Redline. The speaker briefly describes FireEye Redline as a top solution for incident response and digital forensics, indicating that it will be the focus of the upcoming video. The paragraph ends with a thank you note and a musical outro, signaling the end of the current video tutorial.
Mindmap
Keywords
💡Docker Image
💡Vulnerability Scanning
💡Trivi
💡Dockerfile
💡Misconfigurations
💡Infrastructure as Code (IaC)
💡Docker CLI Commands
💡CVE
💡Shell Shock
💡Privileged Escalation
Highlights
Introduction to Docker image analysis with Trivy, emphasizing the importance of scanning for vulnerabilities.
Explanation of why vulnerability scanning for Docker images is crucial for security.
Overview of Trivy as a tool for scanning Docker images, file systems, and Git repositories.
Prerequisites for using Trivy, including familiarity with Docker, Docker CLI, and Linux command line utilities.
The process of Docker vulnerability scanning to identify security vulnerabilities in packages used within Docker images.
How Docker images are created from Dockerfiles and the significance of scanning for vulnerabilities in base images.
The importance of scanning Docker images before deployment to detect and fix vulnerabilities.
Trivy's capability to scan for misconfigurations and vulnerabilities in infrastructure as code (IaC) files.
Demonstration of how to use Trivy to scan Docker images for vulnerabilities and misconfigurations.
Setting up a lab environment with an Ubuntu 18.04 server and Docker for practical Trivy usage.
Instructions on installing and using the Trivy Docker image for scanning.
Practical example of scanning a Docker image and interpreting the results, including sorting by severity.
Identification of medium and high severity vulnerabilities in scanned Docker images.
Explanation of how to address vulnerabilities found in Docker images by patching or rebuilding images.
Discussion on the critical nature of container security and its impact on overall infrastructure security.
Use of Trivy to scan for Shell Shock vulnerability in a Docker image, illustrating the tool's practical application.
Conclusion of the practical demonstration and预告 of the next video on incident response with FireEye Redline.
Transcripts
hello everyone welcome back to the blue
team training series brought to you by
hackersploit and linode in this video
we'll be taking a look at Docker image
analysis with trivi more specifically
the process of scanning Docker images
for vulnerabilities with trivi
[Music]
so in regards to what we'll be covering
we'll firstly get an understanding as to
why vulnerability scanning for Docker
images is so important we'll also get an
introduction to trivi and finally during
the Practical demonstration we'll take a
look at how to scan Docker images for
vulnerabilities and misconfigurations
with trivi in relation or in regards to
the actual prerequisites you need to
have a basic familiarity with Docker and
the docker CLI commands because we're
going to be interacting with Docker
containers and of course you need to
have familiarity with Linux and various
command line utilities because we're
going to be you know utilizing Docker on
Linux if you're new to Docker and Docker
security then please do take a look at
the actual Docker security series that
we actually uh you know did with linode
the link to that will be added as a
resource to this video where we covered
the process of securing Docker from the
ground up with that being said let's get
an understanding as to why vulnerability
scanning for Doc images is very
important all right so let's understand
the process first so Docker
vulnerability scanning is the process of
identifying security vulnerabilities for
the packages that are utilized in a
Docker image so whenever you're creating
a Docker container the docker container
is Created from a Docker image right and
the docker image is essentially uh you
know made up of a Docker file the docker
file essentially is a is a file that
contains commands and allows you to
configure you know what your image what
packages you want your image to run on
so you know you could specify you want
your you you want your image to utilize
Ubuntu 18.04 as a base and then you can
you can essentially add in additional
configurations based on what you want
your image to do when it is run as a
container so
we're essentially looking for uh you
know security vulnerabilities and
misconfigurations uh you know in the
packages utilized within the docker
image because uh you know if I utilize
Ubuntu 18.04 as a base the packages
included with that particular uh image
that base image might be vulnerable to
vulnerabilities and if they are then an
attacker could potentially exploit that
package and gain access to that Docker
container and you know they could then
uh you know perform pretty much whatever
or perform or do pretty much whatever
they wanted to do within that Docker
container so this process will allow you
to detect vulnerabilities in images
before deploying or running them so uh
you know with the Advent or with the
rise of of Docker in terms of popularity
and deployment uh Docker and containers
uh and container security needs to be
taken much more seriously and as I said
if you are an organization and you're
building your own Docker images then
this is some that you should include
within that workflow so whenever you've
built a Docker image always perform a
vulnerability scan on it so uh you know
once you've identified these
vulnerabilities the vulnerabilities can
then be patched or fixed in order to
make the image as secure as possible
this is a very important aspect of
Docker security primarily because all
the security measures we have
implemented on the host system uh you
know can be usurped by a single
vulnerability in one of the packages so
again just because you've secured the
operating system where you have Docker
running on uh you know you know that
isn't the end of security with relation
to Docker uh and of course this is
primarily going to be focused on you
know image and container security uh
with that being said
um let's get an introduction to trivi
trivia is the tool we're going to be
using to perform these scans so trivi is
a simple and comprehensive scanner for
vulnerabilities in container images file
systems and git repositories as well as
for configuration issues so it's not
just limited to uh you know scanning
container images it can also be used to
scan for misconfigurations and
vulnerabilities in file systems get
repos Etc so it's a very very useful
tool uh in that sense trivia can be used
to scan infrastructure as code or IAC
files such as terraform dockerfile and
kubernetes to detect potential
configuration issues that expose your
deployments to the risk of attack we can
util lies trivia to scan Docker files
for misconfigurations and
vulnerabilities that could potentially
lead to exploitation or data exposure so
the objective here is you know to
essentially scan a particular Docker
file or in this case would be scanning
the images themselves with trivi to
identify misconfigurations that can then
be fixed within the original Docker file
from which that image was built from
so let's get started with the Practical
demonstration as for the lab environment
I've set up a server on linode it's a
simple Ubuntu 18.04 server with Docker
already installed and that's where we're
going to be running all of these checks
so let me just switch over to my Ubuntu
VM
all right so I'm back on my Ubuntu VM
and you can see I've created a Ubuntu
Server called Docker host and it doesn't
really have anything running on it the
only thing I've done is installed Docker
and you know essentially enable the
service and start it just to make sure
that Docker is running as I said we're
going to be utilizing trivi so this is
the trivia GitHub repository all the
links are mentioned within this video
going to be added as a resource uh you
know for this video so don't worry about
that trivi is created by a company
called aquasec as you can see the
description is fairly simple here
scanner for vulnerabilities and
container images file systems and git
repositories as well as for
configuration issues and then it
provides you with a really really cool
ASCII video here or just a simple screen
capture as to how you can scan for
vulnerabilities in container images here
as well as uh you know scanning for
misconfigurations in IAC files and of
course it gives you a quick start in
regard out to you know how you can
utilize it so
in the context of Docker you can see
that right over here as it says here
scan directory for Miss configurations
uh simply specify directory containing
the ISE files such as terraform and
Docker files so in this case you need
the trivi binary and you can easily
install uh you know the trivi binary
however in this case because we're
primarily focused on Docker images if we
take a look at the trivia documentation
you can see that you know we can scan
Docker images using the following syntax
and if we click on vulnerability
detection you can see that we all we can
essentially check for vulnerabilities in
OS packages so in order to do this we're
going to be utilizing the trivi docker
image here so let me just refresh that
for some reason the images aren't being
displayed which is uh I think that's
fine but let me just disable my ad
blocker here and let's refresh the page
just to see or just to make sure that
that is the case
all right so we'll be utilizing the uh
the actual trivi uh image here so there
we are you can see a simple and
comprehensive vulnerability scanner for
containers
so
what we're going to do here is we take a
look at the documentation you can see
that the features it provides us with
here so detect comprehensive
vulnerabilities in operating system
packages and you know we can easily go
through this right so you know you can
take a look at the installation
instructions here for trivi so uh you
know we can essentially add the actual
Source here and we can then install
preview but as I said we're going to be
using the docker image so I will just
pull this Docker image on my Docker host
here so I've already logged into the
server so I'll say Docker pull and it's
going to pull the latest image there
and we'll give that a couple of seconds
once that is done we can actually get
started with the scan so now uh the
objective would be to identify an image
that you'd like to scan for
misconfigurations it could be a local
image that you created yourself
or you can essentially perform a scan on
some of the other ones here so for
example uh we'll be using this
vulnerable uh image in a couple of
seconds but you know we can scan for
vulnerabilities in any other images so
you know I can search for let's see
um we can search for maybe one of my own
so
let's see if we can find some of my own
images here so for example the bug
Bounty toolkit I think that will
actually be too too large to perform
this uh you know
but we can search for the ones I created
I know I did create a log4j1
um
we can actually scan this one here so
uh for every Docker image there's going
to be a Docker file right so you know we
can click on the latest release there
and you can see that this is essentially
the docker file there so
um
what we can do is if we wanted to scan
this particular image I can essentially
just copy the name here so you know I
can just say hack exploit bewap Docker
that's just a simple image that allows
you to spin up a an instance of the
extremely buggy web application so in
order to do this we're going to say
Docker run and we're going to remove
this when we're done and we are going to
say
um you know
we want to run trivia
so trivi and that is going to be
um we are going to specify the cache
directory here which we need to when
running trivia so root and we can just
say cache there we are and we then
specify
uh the actual uh the actual 3v image
that we pulled so aquasec
trivia
and then specify the actual image you
would like to scan so in this case hack
exploit by Docker hit enter
uh in this case it doesn't look like uh
that is going to allow us to do that so
uh let me see if I we need to change
anything here can we actually scan
Ubuntu
um so I'm going to say Ubuntu let's try
18.04 here
uh do we need to get that so pull uh
Docker pull
uh not soccer we want to type in Docker
pull
Ubuntu 18.04 does it need to be local
first I think it does need to be local
so yes you actually need to pull the
image and have it locally so I'm going
to still say hack exploit
um b-wap docker
that's going to pull that as well this
is quite large even
better so that's done and it's then
going to extract so I'm just going to
wait for this to complete here
and once that is done
we can say Docker images
and we have the images here so if we run
that again against the Ubuntu image
which for some reason it's not letting
me do because we are specifying the
arguments correctly
um so what we can do is try and run the
actual docker the actual trivia Docker
image here and uh yeah so that works and
we need to specify the options so we can
say in this case we're scanning an image
so we can say image and then specify
Ubuntu
18.04 and let's see if that works that
indeed does work so it's going to
download the database here uh once that
is done it should scan that image for
vulnerabilities and indeed we can see
that we have all the vulnerabilities
listed here as well as their respective
cve code so because this image is so old
you can see that they're sorted the
vulnerabilities are sorted based on
their severity so we have low medium and
high as well as critical and it looks
like a majority of them are you know
have a low severity there and then of
course we have a few medium severity
vulnerabilities so the the table
displayed to you here will essentially
will be sorted into various columns so
you have the library or the package
that's affected and then the
vulnerability ID the severity the
installed version and the version where
this was fixed so that you can update
that and then of course the title of the
vulnerability so uh you can see that
let's see if we can find any of the
medium of severity vulnerabilities here
it looks like that's a privileged
escalation vulnerability medium here
again same thing and the other medium
one here so again this gives you an idea
as to what needs to be patched in this
case this still looks relatively safer
than than other Docker images so we can
actually run this against some of my
other images so I'm going to say Docker
images and the screen might be a little
bit small for you but that's because you
know I want the table displayed fully so
I'll say image and in this case we can
say hackersploit and you know B web
docker
uh B web docker
hit enter let's see it's going to
download the database there
and that's the vulnerability database so
we'll give this a couple of seconds
and yup as expected this one is going to
have quite a lot of vulnerabilities uh
and you can see that we can actually uh
you know
we have scrolling not set up correctly
here so I'm just going to head over into
profiles and into scrolling I'm going to
set that to infinite scroll back and
we're just going to run this again so
I'll clear out my terminal there we are
just so that we can see all the output
for that particular image there so
I'm just going to let this complete here
and there we go so we have a high
severity vulnerability now we're talking
so you can see the sudo package in this
Docker image uh you can see right over
here
has the relative cve code and the
severity is high uh now if I would have
just run this Docker image without
knowing this then you know I would not
uh you know I would essentially be
running a vulnerable Docker container
that you know in in the case of this
vulnerability this is a privileged
escalation vulnerability so it's really
not that important but you know you get
the idea these are vulnerabilities that
could uh negatively impact your
container infrastructure so
let's take a look at some of the other
ones here so these are all low low
severity vulnerabilities we have a
couple of medium ones here
and as you can see it performs a check
on all the packages or libraries
regardless of whether they're you know
Linux utilities or libraries uh but also
you know if it is running PHP or the
docker container is utilizing Frameworks
uh
web Frameworks so you can see there's
quite a few vulnerabilities for this
particular image and in this case you
can see we have a few buff overflows
there
let's see if we can find a couple more
so we have another high one here that's
really not a remote code execution of
vulnerability there
and we have a couple of other ones here
so you get the idea now the to show you
that uh you know in the case of uh to
actually give you a better example we're
going to be utilizing a Docker image
here that is used to essentially set up
a vulnerable web application or a web
application that is vulnerable to Shell
Shock so uh if you're not familiar with
shell shock Shell Shock is a family of
security bugs in the widely used Unix
bash shell the first of which was
disclosed on the 24th of September 2014
and it essentially allows attackers to
remotely execute arbitrary commands so
this will be a perfect example to show
you how this works so uh you know I'll
just get rid of that there and we'll say
Docker pull and we're going to pull that
image there
so there we are
and we can now uh you know specify that
we want to run that particular so I'm
going to say we're going to run the
trivia
image there's a container and that is we
are essentially just going to copy the
name there
and we'll hit enter and let's see what
vulnerabilities affect this particular
Docker image
so there we are we have quite a few and
let's see if we can identify the shell
shock vulnerability
so I'm just going to go through all of
these here and I'll just go to the top
here and we should be able to see the
total number of vulnerabilities uh that
affects this particular Docker image so
if we take a look at bash here we can
see that this is the shell shock
vulnerability so this is set to critical
as you can obviously tell and it tells
you what version this was fixed in so
you can actually install that version so
a specially crafted environment
variables can be used to inject shell
commands and you know this is critical
because uh this attack or this
vulnerability can be exploited remotely
so if this a Docker container and the
web application hosted within it was
hosted uh or you know was was actually
being hosted to serve customers and you
know an attacker could potentially you
know identify the vulnerability and
exploit it and consequently gain access
to your Docker container so the most
important thing to note here is that
Docker containers are part of the
infrastructure and as a result their
security or the security of your Docker
or containers needs to be taken into
consideration uh you know directly or
from the actual uh point where you're
actually creating the images yourself
now in this case I've I've performed
scans on images that I are not mine
apart from the actual uh B web apart
from the B web image and in that case I
would be able to go through that report
or you know take a look at all the
vulnerabilities uh you know within that
particular Docker image and I'll be able
to fix those or make amendments to the
original dock of file I can then build
the new Docker image and run a scan on
it again to see whether those patches
have been implemented and the actual
process of the cycle repeats itself so
go ahead you can take a look at you know
the actual trivia documentation if
you're interested in using it to scan
for misconfigurations in git
repositories as well as Docker files
themselves
uh which uh you know can also be very
very useful as I said all the links
utilized in this video will also be
provided as an additional resource uh
with that said that is going to conclude
the
practical demonstration side of this
video
so in the next video and the final video
within this series we're going to be
taking a look at incident response with
FireEye Redline all right so the actual
red line tool made or developed by Phi I
is pretty much one of the best Solutions
out there when it comes down to incident
response and digital forensics so that
is what we'll be exploring in the next
video
[Music]
thank you
[Music]
5.0 / 5 (0 votes)