All-In-One Open Source Security Scanner | Docker Image Analysis with Trivy

Akamai Developer

17 Mar 202320:39

Summary

TLDRThis video from the Blue Team Training series explores Docker image analysis with Trivy, emphasizing the importance of vulnerability scanning for container security. It introduces Trivy, a tool for scanning images, file systems, and Git repositories for vulnerabilities and misconfigurations. The tutorial demonstrates how to use Trivy to identify and address security issues in Docker images, showcasing its capabilities through practical examples and emphasizing the significance of incorporating vulnerability scanning into Docker workflows.

Takeaways

🔍 Vulnerability scanning for Docker images is crucial for identifying security risks in packages used in Docker images.
🛠️ Trivi is a comprehensive tool for scanning Docker images, file systems, and Git repositories for vulnerabilities and configuration issues.
📋 The process involves understanding the importance of vulnerability scanning, an introduction to Trivi, and a practical demonstration of scanning Docker images with Trivi.
🐳 Docker containers are created from Docker images, which are defined by Dockerfiles that specify the packages and configurations used.
⚠️ Vulnerabilities in the packages used in Docker images can lead to potential exploitation by attackers.
🔧 It is important to scan Docker images for vulnerabilities before deploying them to ensure the security of the containerized applications.
🔒 Trivi can also scan Infrastructure as Code (IaC) files like Terraform, Dockerfiles, and Kubernetes configurations for potential issues.
💾 A practical demonstration shows how to set up and use Trivi on an Ubuntu server with Docker installed to scan for vulnerabilities.
📊 Trivi outputs detailed information on detected vulnerabilities, including severity, affected packages, and fixed versions.
🛡️ Regularly scanning and updating Docker images based on Trivi's findings helps maintain secure container environments.

Q & A

What is the main focus of the video?
-The main focus of the video is Docker image analysis with Trivy, specifically scanning Docker images for vulnerabilities and misconfigurations.
Why is vulnerability scanning for Docker images important?
-Vulnerability scanning for Docker images is important because it helps identify security vulnerabilities in the packages used within a Docker image, preventing potential exploitation by attackers and ensuring container security.
What are the prerequisites for using Trivy as demonstrated in the video?
-The prerequisites for using Trivy include basic familiarity with Docker and Docker CLI commands, as well as familiarity with Linux and various command line utilities.
What is Trivy and what can it be used for?
-Trivy is a tool for scanning vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues. It can be used to scan infrastructure as code (IaC) files such as Terraform, Dockerfile, and Kubernetes to detect potential configuration issues.
How does Trivy help with Docker security?
-Trivy helps with Docker security by scanning Docker images for vulnerabilities and misconfigurations, allowing users to identify and fix issues before deploying or running the images.
What is the significance of scanning Docker images before deployment?
-Scanning Docker images before deployment is significant because it allows detection of vulnerabilities that could be exploited by attackers, ensuring that the images are as secure as possible before they are used in production environments.
What does the video demonstrate in terms of practical application of Trivy?
-The video demonstrates a practical application of Trivy by showing how to scan Docker images for vulnerabilities and misconfigurations, including pulling the Trivy Docker image, running scans on specific images, and interpreting the results.
What is the Shell Shock vulnerability mentioned in the video?
-The Shell Shock vulnerability is a family of security bugs in the Unix Bash shell, which allows attackers to remotely execute arbitrary commands. It was first disclosed in September 2014 and is considered critical due to its potential for remote exploitation.
How does Trivy categorize vulnerabilities in its scan results?
-Trivy categorizes vulnerabilities in its scan results based on their severity, which can include low, medium, high, and critical levels.
What is the next topic covered in the series after Docker image analysis with Trivy?
-The next topic covered in the series is incident response with FireEye Redline, a tool developed by FireEye for incident response and digital forensics.

Outlines

00:00

🛡️ Docker Image Security with Trivi

This paragraph introduces a training series on Docker image analysis using Trivi, a vulnerability scanner. It emphasizes the importance of scanning Docker images for security vulnerabilities before deployment. The video will cover the basics of why vulnerability scanning is essential, provide an introduction to Trivi, and demonstrate how to scan images for vulnerabilities and misconfigurations. The prerequisites for the tutorial include familiarity with Docker, its CLI commands, and Linux command line utilities. The paragraph also mentions a Docker security series for beginners and highlights the need for security measures in Docker images to prevent potential exploitation by attackers.

05:02

🔍 Practical Demonstration of Trivi for Docker Image Scanning

The speaker begins a practical demonstration of using Trivi to scan Docker images for vulnerabilities and misconfigurations. They set up a server on Linode with Docker pre-installed and proceed to explain the process of scanning. The paragraph details the installation of the Trivi binary and how to use the Trivi Docker image to scan for vulnerabilities in OS packages. The speaker also discusses the features of Trivi, including its ability to scan for misconfigurations in IAC files such as Dockerfiles and Kubernetes configurations. The demonstration includes an attempt to scan a specific Docker image for vulnerabilities, showcasing the process and the output of the scan.

10:02

📝 Scanning Docker Images with Trivi: A Step-by-Step Guide

This paragraph continues the practical demonstration by explaining the steps to scan Docker images using Trivi. The speaker clarifies the need to pull the Docker image locally before scanning and demonstrates the command to run Trivi for scanning an image. They encounter a minor issue with the command syntax but quickly resolve it and successfully scan the Ubuntu 18.04 image, displaying the vulnerabilities found, sorted by severity. The output includes details such as the affected package, vulnerability ID, severity, installed version, fixed version, and the title of the vulnerability.

15:04

🚨 Identifying High-Severity Vulnerabilities in Docker Images

The speaker continues to demonstrate the use of Trivi by scanning another Docker image, this time focusing on high-severity vulnerabilities. They show how to identify and list vulnerabilities, including a critical Shell Shock vulnerability in the bash package. The paragraph highlights the risks associated with running vulnerable Docker containers and the importance of addressing these vulnerabilities to secure the container infrastructure. The demonstration includes scanning multiple images and discussing the implications of the findings.

20:06

🔚 Conclusion and Preview of Incident Response with FireEye Redline

The final paragraph concludes the practical demonstration on Docker image scanning with Trivi and previews the next topic in the series, which is incident response with FireEye Redline. The speaker briefly describes FireEye Redline as a top solution for incident response and digital forensics, indicating that it will be the focus of the upcoming video. The paragraph ends with a thank you note and a musical outro, signaling the end of the current video tutorial.

Mindmap

Keywords

💡Docker Image

A Docker image is a read-only template with instructions for creating a Docker container. It contains the necessary software, libraries, settings, and environment to run an application. In the context of the video, Docker images are the primary subject for vulnerability scanning to ensure security before deployment. The script mentions Docker images as being composed of a Dockerfile, which is a script with commands for configuring the image.

💡Vulnerability Scanning

Vulnerability scanning is the process of identifying, quantifying, and prioritizing vulnerabilities in software or systems. In the video, it is emphasized as a critical step in Docker security to detect potential security flaws in the packages used within a Docker image. The script explains that scanning helps prevent attackers from exploiting these vulnerabilities to gain access to Docker containers.

💡Trivi

Trivi is a tool introduced in the video for scanning container images, file systems, and Git repositories for vulnerabilities and misconfigurations. It is used to ensure that Docker images are secure before they are deployed. The script demonstrates how Trivi can be utilized to scan Docker images and provides insights into its capabilities and usage.

💡Dockerfile

A Dockerfile is a text document that contains all the commands a user could call on the command line to assemble an image. In the video, it is mentioned as the foundational component of a Docker image, specifying the base operating system and additional configurations that the image should include.

💡Misconfigurations

Misconfigurations refer to incorrect or suboptimal settings in software or systems that can lead to security risks or inefficiencies. The video discusses the importance of scanning for misconfigurations in Docker images and files like Dockerfiles to prevent potential security breaches.

💡Infrastructure as Code (IaC)

Infrastructure as Code is a methodology where infrastructure is provisioned and managed using code files, rather than manually through a user interface. In the script, Trivi's ability to scan IaC files such as Terraform and Dockerfiles for misconfigurations is highlighted, emphasizing its role in detecting issues that could lead to security vulnerabilities.

💡Docker CLI Commands

Docker CLI commands are the command-line interface commands used to interact with Docker and manage containers and images. The video assumes that the viewer has a basic familiarity with these commands, as they are essential for interacting with Docker containers and images, especially when performing vulnerability scans with Trivi.

💡CVE

CVE stands for Common Vulnerabilities and Exposures, which is a system for identifying and cataloging known cyber security vulnerabilities. In the video, CVE codes are used to identify specific vulnerabilities found during the scanning process with Trivi, allowing users to understand and address the severity and specifics of the vulnerabilities.

💡Shell Shock

Shell Shock is a family of security vulnerabilities found in the Unix Bash shell, which allows attackers to execute arbitrary commands. The video uses an example of a Docker image vulnerable to Shell Shock to illustrate the importance of scanning and the potential risks associated with unaddressed vulnerabilities.

💡Privileged Escalation

Privileged escalation refers to the act of exploiting a software vulnerability to gain higher levels of access or permissions in a system than those normally granted by the system. The script mentions a high-severity vulnerability related to privileged escalation, emphasizing the critical nature of such vulnerabilities and the need for scanning to prevent unauthorized access.

Highlights

Introduction to Docker image analysis with Trivy, emphasizing the importance of scanning for vulnerabilities.

Explanation of why vulnerability scanning for Docker images is crucial for security.

Overview of Trivy as a tool for scanning Docker images, file systems, and Git repositories.

Prerequisites for using Trivy, including familiarity with Docker, Docker CLI, and Linux command line utilities.

The process of Docker vulnerability scanning to identify security vulnerabilities in packages used within Docker images.

How Docker images are created from Dockerfiles and the significance of scanning for vulnerabilities in base images.

The importance of scanning Docker images before deployment to detect and fix vulnerabilities.

Trivy's capability to scan for misconfigurations and vulnerabilities in infrastructure as code (IaC) files.

Demonstration of how to use Trivy to scan Docker images for vulnerabilities and misconfigurations.

Setting up a lab environment with an Ubuntu 18.04 server and Docker for practical Trivy usage.

Instructions on installing and using the Trivy Docker image for scanning.

Practical example of scanning a Docker image and interpreting the results, including sorting by severity.

Identification of medium and high severity vulnerabilities in scanned Docker images.

Explanation of how to address vulnerabilities found in Docker images by patching or rebuilding images.

Discussion on the critical nature of container security and its impact on overall infrastructure security.

Use of Trivy to scan for Shell Shock vulnerability in a Docker image, illustrating the tool's practical application.

Conclusion of the practical demonstration and预告 of the next video on incident response with FireEye Redline.

Transcripts

00:00

hello everyone welcome back to the blue

00:03

team training series brought to you by

00:05

hackersploit and linode in this video

00:08

we'll be taking a look at Docker image

00:10

analysis with trivi more specifically

00:12

the process of scanning Docker images

00:14

for vulnerabilities with trivi

00:16

[Music]

00:26

so in regards to what we'll be covering

00:28

we'll firstly get an understanding as to

00:31

why vulnerability scanning for Docker

00:33

images is so important we'll also get an

00:36

introduction to trivi and finally during

00:38

the Practical demonstration we'll take a

00:40

look at how to scan Docker images for

00:42

vulnerabilities and misconfigurations

00:44

with trivi in relation or in regards to

00:48

the actual prerequisites you need to

00:50

have a basic familiarity with Docker and

00:53

the docker CLI commands because we're

00:55

going to be interacting with Docker

00:56

containers and of course you need to

00:58

have familiarity with Linux and various

01:00

command line utilities because we're

01:02

going to be you know utilizing Docker on

01:04

Linux if you're new to Docker and Docker

01:07

security then please do take a look at

01:10

the actual Docker security series that

01:13

we actually uh you know did with linode

01:16

the link to that will be added as a

01:18

resource to this video where we covered

01:20

the process of securing Docker from the

01:22

ground up with that being said let's get

01:25

an understanding as to why vulnerability

01:27

scanning for Doc images is very

01:28

important all right so let's understand

01:31

the process first so Docker

01:33

vulnerability scanning is the process of

01:35

identifying security vulnerabilities for

01:37

the packages that are utilized in a

01:39

Docker image so whenever you're creating

01:42

a Docker container the docker container

01:44

is Created from a Docker image right and

01:46

the docker image is essentially uh you

01:49

know made up of a Docker file the docker

01:52

file essentially is a is a file that

01:55

contains commands and allows you to

01:56

configure you know what your image what

02:00

packages you want your image to run on

02:02

so you know you could specify you want

02:03

your you you want your image to utilize

02:06

Ubuntu 18.04 as a base and then you can

02:09

you can essentially add in additional

02:11

configurations based on what you want

02:14

your image to do when it is run as a

02:17

container so

02:19

we're essentially looking for uh you

02:22

know security vulnerabilities and

02:23

misconfigurations uh you know in the

02:26

packages utilized within the docker

02:28

image because uh you know if I utilize

02:30

Ubuntu 18.04 as a base the packages

02:33

included with that particular uh image

02:36

that base image might be vulnerable to

02:38

vulnerabilities and if they are then an

02:41

attacker could potentially exploit that

02:43

package and gain access to that Docker

02:45

container and you know they could then

02:47

uh you know perform pretty much whatever

02:49

or perform or do pretty much whatever

02:51

they wanted to do within that Docker

02:54

container so this process will allow you

02:56

to detect vulnerabilities in images

02:58

before deploying or running them so uh

03:01

you know with the Advent or with the

03:03

rise of of Docker in terms of popularity

03:06

and deployment uh Docker and containers

03:09

uh and container security needs to be

03:11

taken much more seriously and as I said

03:14

if you are an organization and you're

03:17

building your own Docker images then

03:18

this is some that you should include

03:20

within that workflow so whenever you've

03:23

built a Docker image always perform a

03:25

vulnerability scan on it so uh you know

03:29

once you've identified these

03:30

vulnerabilities the vulnerabilities can

03:32

then be patched or fixed in order to

03:34

make the image as secure as possible

03:36

this is a very important aspect of

03:38

Docker security primarily because all

03:40

the security measures we have

03:42

implemented on the host system uh you

03:45

know can be usurped by a single

03:46

vulnerability in one of the packages so

03:49

again just because you've secured the

03:51

operating system where you have Docker

03:53

running on uh you know you know that

03:56

isn't the end of security with relation

03:58

to Docker uh and of course this is

04:00

primarily going to be focused on you

04:02

know image and container security uh

04:05

with that being said

04:07

um let's get an introduction to trivi

04:09

trivia is the tool we're going to be

04:10

using to perform these scans so trivi is

04:13

a simple and comprehensive scanner for

04:15

vulnerabilities in container images file

04:18

systems and git repositories as well as

04:21

for configuration issues so it's not

04:23

just limited to uh you know scanning

04:25

container images it can also be used to

04:28

scan for misconfigurations and

04:29

vulnerabilities in file systems get

04:32

repos Etc so it's a very very useful

04:34

tool uh in that sense trivia can be used

04:38

to scan infrastructure as code or IAC

04:40

files such as terraform dockerfile and

04:42

kubernetes to detect potential

04:45

configuration issues that expose your

04:47

deployments to the risk of attack we can

04:49

util lies trivia to scan Docker files

04:51

for misconfigurations and

04:52

vulnerabilities that could potentially

04:54

lead to exploitation or data exposure so

04:57

the objective here is you know to

04:59

essentially scan a particular Docker

05:01

file or in this case would be scanning

05:03

the images themselves with trivi to

05:06

identify misconfigurations that can then

05:08

be fixed within the original Docker file

05:10

from which that image was built from

05:13

so let's get started with the Practical

05:15

demonstration as for the lab environment

05:17

I've set up a server on linode it's a

05:20

simple Ubuntu 18.04 server with Docker

05:23

already installed and that's where we're

05:25

going to be running all of these checks

05:26

so let me just switch over to my Ubuntu

05:28

VM

05:30

all right so I'm back on my Ubuntu VM

05:32

and you can see I've created a Ubuntu

05:35

Server called Docker host and it doesn't

05:37

really have anything running on it the

05:39

only thing I've done is installed Docker

05:41

and you know essentially enable the

05:43

service and start it just to make sure

05:45

that Docker is running as I said we're

05:47

going to be utilizing trivi so this is

05:49

the trivia GitHub repository all the

05:51

links are mentioned within this video

05:53

going to be added as a resource uh you

05:56

know for this video so don't worry about

05:57

that trivi is created by a company

06:00

called aquasec as you can see the

06:02

description is fairly simple here

06:04

scanner for vulnerabilities and

06:06

container images file systems and git

06:08

repositories as well as for

06:11

configuration issues and then it

06:13

provides you with a really really cool

06:14

ASCII video here or just a simple screen

06:18

capture as to how you can scan for

06:20

vulnerabilities in container images here

06:22

as well as uh you know scanning for

06:25

misconfigurations in IAC files and of

06:28

course it gives you a quick start in

06:30

regard out to you know how you can

06:32

utilize it so

06:33

in the context of Docker you can see

06:37

that right over here as it says here

06:41

scan directory for Miss configurations

06:43

uh simply specify directory containing

06:45

the ISE files such as terraform and

06:48

Docker files so in this case you need

06:50

the trivi binary and you can easily

06:53

install uh you know the trivi binary

06:56

however in this case because we're

06:59

primarily focused on Docker images if we

07:01

take a look at the trivia documentation

07:03

you can see that you know we can scan

07:07

Docker images using the following syntax

07:10

and if we click on vulnerability

07:11

detection you can see that we all we can

07:15

essentially check for vulnerabilities in

07:17

OS packages so in order to do this we're

07:20

going to be utilizing the trivi docker

07:23

image here so let me just refresh that

07:25

for some reason the images aren't being

07:28

displayed which is uh I think that's

07:31

fine but let me just disable my ad

07:32

blocker here and let's refresh the page

07:35

just to see or just to make sure that

07:37

that is the case

07:38

all right so we'll be utilizing the uh

07:41

the actual trivi uh image here so there

07:45

we are you can see a simple and

07:46

comprehensive vulnerability scanner for

07:48

containers

07:49

so

07:51

what we're going to do here is we take a

07:53

look at the documentation you can see

07:55

that the features it provides us with

07:58

here so detect comprehensive

07:59

vulnerabilities in operating system

08:00

packages and you know we can easily go

08:05

through this right so you know you can

08:07

take a look at the installation

08:08

instructions here for trivi so uh you

08:11

know we can essentially add the actual

08:14

Source here and we can then install

08:17

preview but as I said we're going to be

08:19

using the docker image so I will just

08:21

pull this Docker image on my Docker host

08:24

here so I've already logged into the

08:25

server so I'll say Docker pull and it's

08:27

going to pull the latest image there

08:30

and we'll give that a couple of seconds

08:34

once that is done we can actually get

08:36

started with the scan so now uh the

08:39

objective would be to identify an image

08:41

that you'd like to scan for

08:43

misconfigurations it could be a local

08:45

image that you created yourself

08:47

or you can essentially perform a scan on

08:50

some of the other ones here so for

08:51

example uh we'll be using this

08:54

vulnerable uh image in a couple of

08:55

seconds but you know we can scan for

08:57

vulnerabilities in any other images so

09:00

you know I can search for let's see

09:03

um we can search for maybe one of my own

09:06

so

09:06

let's see if we can find some of my own

09:09

images here so for example the bug

09:11

Bounty toolkit I think that will

09:13

actually be too too large to perform

09:17

this uh you know

09:18

but we can search for the ones I created

09:21

I know I did create a log4j1

09:25

um

09:26

we can actually scan this one here so

09:29

uh for every Docker image there's going

09:32

to be a Docker file right so you know we

09:34

can click on the latest release there

09:37

and you can see that this is essentially

09:38

the docker file there so

09:41

um

09:42

what we can do is if we wanted to scan

09:45

this particular image I can essentially

09:47

just copy the name here so you know I

09:50

can just say hack exploit bewap Docker

09:52

that's just a simple image that allows

09:55

you to spin up a an instance of the

09:57

extremely buggy web application so in

10:01

order to do this we're going to say

10:02

Docker run and we're going to remove

10:04

this when we're done and we are going to

10:07

say

10:08

um you know

10:10

we want to run trivia

10:12

so trivi and that is going to be

10:17

um we are going to specify the cache

10:19

directory here which we need to when

10:21

running trivia so root and we can just

10:24

say cache there we are and we then

10:27

specify

10:29

uh the actual uh the actual 3v image

10:32

that we pulled so aquasec

10:35

trivia

10:37

and then specify the actual image you

10:39

would like to scan so in this case hack

10:41

exploit by Docker hit enter

10:43

uh in this case it doesn't look like uh

10:47

that is going to allow us to do that so

10:51

uh let me see if I we need to change

10:53

anything here can we actually scan

10:55

Ubuntu

10:56

um so I'm going to say Ubuntu let's try

10:59

18.04 here

11:01

uh do we need to get that so pull uh

11:05

Docker pull

11:07

uh not soccer we want to type in Docker

11:09

pull

11:11

Ubuntu 18.04 does it need to be local

11:14

first I think it does need to be local

11:16

so yes you actually need to pull the

11:18

image and have it locally so I'm going

11:20

to still say hack exploit

11:23

um b-wap docker

11:30

that's going to pull that as well this

11:32

is quite large even

11:34

better so that's done and it's then

11:37

going to extract so I'm just going to

11:40

wait for this to complete here

11:43

and once that is done

11:46

we can say Docker images

11:48

and we have the images here so if we run

11:50

that again against the Ubuntu image

11:54

which for some reason it's not letting

11:56

me do because we are specifying the

11:58

arguments correctly

12:01

um so what we can do is try and run the

12:03

actual docker the actual trivia Docker

12:06

image here and uh yeah so that works and

12:09

we need to specify the options so we can

12:12

say in this case we're scanning an image

12:15

so we can say image and then specify

12:18

Ubuntu

12:21

18.04 and let's see if that works that

12:24

indeed does work so it's going to

12:25

download the database here uh once that

12:28

is done it should scan that image for

12:31

vulnerabilities and indeed we can see

12:33

that we have all the vulnerabilities

12:35

listed here as well as their respective

12:38

cve code so because this image is so old

12:42

you can see that they're sorted the

12:44

vulnerabilities are sorted based on

12:46

their severity so we have low medium and

12:48

high as well as critical and it looks

12:51

like a majority of them are you know

12:53

have a low severity there and then of

12:56

course we have a few medium severity

12:58

vulnerabilities so the the table

13:00

displayed to you here will essentially

13:02

will be sorted into various columns so

13:05

you have the library or the package

13:06

that's affected and then the

13:08

vulnerability ID the severity the

13:11

installed version and the version where

13:13

this was fixed so that you can update

13:15

that and then of course the title of the

13:17

vulnerability so uh you can see that

13:20

let's see if we can find any of the

13:22

medium of severity vulnerabilities here

13:25

it looks like that's a privileged

13:27

escalation vulnerability medium here

13:30

again same thing and the other medium

13:33

one here so again this gives you an idea

13:35

as to what needs to be patched in this

13:37

case this still looks relatively safer

13:40

than than other Docker images so we can

13:44

actually run this against some of my

13:46

other images so I'm going to say Docker

13:48

images and the screen might be a little

13:50

bit small for you but that's because you

13:53

know I want the table displayed fully so

13:56

I'll say image and in this case we can

13:59

say hackersploit and you know B web

14:02

docker

14:03

uh B web docker

14:06

hit enter let's see it's going to

14:09

download the database there

14:12

and that's the vulnerability database so

14:14

we'll give this a couple of seconds

14:17

and yup as expected this one is going to

14:20

have quite a lot of vulnerabilities uh

14:23

and you can see that we can actually uh

14:27

you know

14:28

we have scrolling not set up correctly

14:30

here so I'm just going to head over into

14:32

profiles and into scrolling I'm going to

14:35

set that to infinite scroll back and

14:37

we're just going to run this again so

14:39

I'll clear out my terminal there we are

14:41

just so that we can see all the output

14:43

for that particular image there so

14:48

I'm just going to let this complete here

14:51

and there we go so we have a high

14:53

severity vulnerability now we're talking

14:55

so you can see the sudo package in this

14:57

Docker image uh you can see right over

15:00

here

15:01

has the relative cve code and the

15:04

severity is high uh now if I would have

15:06

just run this Docker image without

15:08

knowing this then you know I would not

15:10

uh you know I would essentially be

15:12

running a vulnerable Docker container

15:15

that you know in in the case of this

15:17

vulnerability this is a privileged

15:18

escalation vulnerability so it's really

15:21

not that important but you know you get

15:23

the idea these are vulnerabilities that

15:25

could uh negatively impact your

15:28

container infrastructure so

15:30

let's take a look at some of the other

15:32

ones here so these are all low low

15:35

severity vulnerabilities we have a

15:37

couple of medium ones here

15:39

and as you can see it performs a check

15:41

on all the packages or libraries

15:43

regardless of whether they're you know

15:45

Linux utilities or libraries uh but also

15:49

you know if it is running PHP or the

15:52

docker container is utilizing Frameworks

15:54

uh

15:56

web Frameworks so you can see there's

15:58

quite a few vulnerabilities for this

16:01

particular image and in this case you

16:04

can see we have a few buff overflows

16:06

there

16:07

let's see if we can find a couple more

16:11

so we have another high one here that's

16:14

really not a remote code execution of

16:17

vulnerability there

16:20

and we have a couple of other ones here

16:22

so you get the idea now the to show you

16:25

that uh you know in the case of uh to

16:28

actually give you a better example we're

16:30

going to be utilizing a Docker image

16:32

here that is used to essentially set up

16:35

a vulnerable web application or a web

16:39

application that is vulnerable to Shell

16:40

Shock so uh if you're not familiar with

16:43

shell shock Shell Shock is a family of

16:46

security bugs in the widely used Unix

16:48

bash shell the first of which was

16:50

disclosed on the 24th of September 2014

16:53

and it essentially allows attackers to

16:55

remotely execute arbitrary commands so

16:57

this will be a perfect example to show

16:59

you how this works so uh you know I'll

17:02

just get rid of that there and we'll say

17:03

Docker pull and we're going to pull that

17:05

image there

17:07

so there we are

17:12

and we can now uh you know specify that

17:15

we want to run that particular so I'm

17:17

going to say we're going to run the

17:18

trivia

17:20

image there's a container and that is we

17:25

are essentially just going to copy the

17:26

name there

17:28

and we'll hit enter and let's see what

17:32

vulnerabilities affect this particular

17:34

Docker image

17:36

so there we are we have quite a few and

17:38

let's see if we can identify the shell

17:39

shock vulnerability

17:41

so I'm just going to go through all of

17:43

these here and I'll just go to the top

17:46

here and we should be able to see the

17:48

total number of vulnerabilities uh that

17:50

affects this particular Docker image so

17:53

if we take a look at bash here we can

17:55

see that this is the shell shock

17:57

vulnerability so this is set to critical

17:59

as you can obviously tell and it tells

18:01

you what version this was fixed in so

18:04

you can actually install that version so

18:06

a specially crafted environment

18:08

variables can be used to inject shell

18:09

commands and you know this is critical

18:11

because uh this attack or this

18:14

vulnerability can be exploited remotely

18:16

so if this a Docker container and the

18:18

web application hosted within it was

18:20

hosted uh or you know was was actually

18:23

being hosted to serve customers and you

18:27

know an attacker could potentially you

18:29

know identify the vulnerability and

18:31

exploit it and consequently gain access

18:33

to your Docker container so the most

18:37

important thing to note here is that

18:38

Docker containers are part of the

18:41

infrastructure and as a result their

18:42

security or the security of your Docker

18:45

or containers needs to be taken into

18:47

consideration uh you know directly or

18:51

from the actual uh point where you're

18:53

actually creating the images yourself

18:55

now in this case I've I've performed

18:57

scans on images that I are not mine

19:00

apart from the actual uh B web apart

19:04

from the B web image and in that case I

19:06

would be able to go through that report

19:08

or you know take a look at all the

19:10

vulnerabilities uh you know within that

19:12

particular Docker image and I'll be able

19:14

to fix those or make amendments to the

19:17

original dock of file I can then build

19:19

the new Docker image and run a scan on

19:21

it again to see whether those patches

19:23

have been implemented and the actual

19:26

process of the cycle repeats itself so

19:29

go ahead you can take a look at you know

19:32

the actual trivia documentation if

19:34

you're interested in using it to scan

19:36

for misconfigurations in git

19:38

repositories as well as Docker files

19:41

themselves

19:42

uh which uh you know can also be very

19:44

very useful as I said all the links

19:46

utilized in this video will also be

19:48

provided as an additional resource uh

19:51

with that said that is going to conclude

19:53

the

19:54

practical demonstration side of this

19:57

video

19:58

so in the next video and the final video

20:01

within this series we're going to be

20:03

taking a look at incident response with

20:05

FireEye Redline all right so the actual

20:08

red line tool made or developed by Phi I

20:12

is pretty much one of the best Solutions

20:14

out there when it comes down to incident

20:16

response and digital forensics so that

20:19

is what we'll be exploring in the next

20:21

video

20:25

[Music]

20:32

thank you

20:34

[Music]

Browse More Related Video

Generating scan reports with Trivy

A Beginners Guide to Code Review

Discovering Hidden Treasures: Extracting Secrets from Blazor Apps!

What is Docker? Simply Explained by Shradha Ma'am

100+ Docker Concepts you Need to Know

Install Flowable with Docker | How-To | Flowable

Rate This

★

★

★

★

★

5.0 / 5 (0 votes)

Related Tags

Docker SecurityTrivy ScannerVulnerability AssessmentContainer ImagesLinux CLICybersecurityDevOpsIT InfrastructureSecurity TrainingHackersploit