Generating scan reports with Trivy

Aqua Security Open Source
4 May 202311:25

Summary

TLDRIn this Aqua Open Source video, Anais, an open source developer advocate at Aqua Security, demonstrates how to generate various reports using the Trivy CLI. She explains the process of storing scan results for long-term analysis and showcases different report formats, including table, JSON, SARIF, custom templates, and S-BOMs. The tutorial also covers the installation and upgrading of Trivy, and highlights the use of JLS for viewing JSON output. Anais encourages viewers to contribute to the project on GitHub and explore additional tools for enhanced scanning capabilities.

Takeaways

  • πŸ˜€ Anais, an open source developer advocate at Aqua Security, introduces the video on generating reports with Trivy CLI.
  • πŸ” Trivy CLI is used for scanning resources and typically provides results in the terminal or CI/CD pipeline.
  • πŸ’Ύ The video demonstrates how to store Trivy scan reports long-term, such as in S3 buckets for historical analysis and comparison.
  • πŸ› οΈ The tutorial requires Trivy to be installed or updated to the latest version using the provided installation instructions.
  • πŸ“Š Trivy supports various report formats including table, JSON, SARIF, custom templates, and SPDX.
  • πŸ“ The default report format is table, which is easy to read and supported across vulnerability, misconfiguration, secret, and license scans.
  • πŸ“„ JSON format can be displayed in the terminal and saved to an output file, facilitating further processing and analysis.
  • πŸ“ˆ JLS (JSON Lines - Less) is highlighted as a tool for viewing JSON output neatly and filtering through results.
  • πŸ“‘ SARIF format is suitable for uploading to GitHub Code Scanning and can be generated using Trivy with a specific command.
  • πŸ› οΈ Custom templates can be used to tailor the report output to specific needs, with examples like JUnit, ASFF, and HTML provided.
  • πŸ”— S-BOM (Software Bill of Materials) can be generated in formats like SPDX and CycloneDX, useful for sharing component lists and integrating with container registries.

Q & A

  • What is the main topic of the video?

    -The main topic of the video is demonstrating how to generate different types of reports through the Trivy CLI for various scans.

  • Who is the presenter of the video?

    -Anais is the presenter of the video and the open source developer advocate at Aqua Security.

  • Why might someone want to store Trivy scan reports long-term?

    -Storing Trivy scan reports long-term allows for historical analysis, comparison over time, and reference in case of issues arising after application upgrades.

  • What are some of the formats supported for Trivy scan reports?

    -Trivy supports report formats such as table, JSON, SARIF, custom templates, and S-BOMs (Software Bill of Materials).

  • How can one check the version of Trivy installed in their environment?

    -To check the version of Trivy, one can use the command 'trivy version' in their terminal.

  • What does the table format in Trivy provide?

    -The table format provides an easy-to-read display of security issues or vulnerabilities found during a scan.

  • How can one view the JSON output of a Trivy scan in a more user-friendly manner?

    -One can pipe the JSON output into a tool like JLS (JSON Lines -l), which allows for a more organized and navigable view of the scan results.

  • What is the purpose of the SARIF format in Trivy scans?

    -The SARIF (Static Analysis Results Interchange Format) is used for integrating Trivy scan results into other tools and platforms that support this format for security analysis.

  • How can Trivy scan results be shared or used in GitHub code scanning?

    -Trivy scan results can be saved in SARIF format and uploaded to GitHub code scanning, and there is a Trivy GitHub action available for this purpose.

  • What does S-BOM stand for and what information does it provide?

    -S-BOM stands for Software Bill of Materials, and it provides a list of all the different components within a container image or software package.

  • How can one contribute to the Trivy project or get support?

    -One can contribute to the Trivy project by starring the repository on GitHub, joining the Slack community, or starting a GitHub discussion for support and feedback.

Outlines

00:00

πŸ“Š Generating and Storing Trivi CLI Scan Reports

In this paragraph, Anais, an open source developer advocate at Aqua Security, introduces the tutorial's focus on using Trivi CLI to generate various types of scan reports. She explains that while Trivi typically provides scan results in the terminal, there are scenarios where users might want to store these reports for long-term analysis, such as in S3 buckets in AWS. Anais provides a brief on the importance of version control with Trivi, ensuring users have the latest version installed, and guides them through the process of checking and upgrading Trivi if necessary. She also outlines the different report formats supported by Trivi, such as table, JSON, SARIF, custom templates, and S-BOMs, and how they can be utilized across various scan types including vulnerability, misconfiguration, secret, and license scans.

05:01

🌟 Enhancing Trivi Scan Output with JLS and Custom Reporting

Anais encourages viewers to support Trivi by starring its GitHub repository and introduces JLS, a command-line JSON viewer, as a tool to enhance the readability of Trivi's JSON scan output. She demonstrates how to pipe Trivi's scan results into JLS for a more organized view and how to filter through different issues found during scans. The paragraph also covers the use of different report formats like SARIF, custom templates including JUnit, ASFF, and HTML, and S-BOMs with CycloneDX and SPDX formats. Anais explains the process of generating these reports and how they can be shared and utilized in different platforms, including GitHub Code Scanning and container registries, to showcase the components of container images.

10:03

πŸ”— Sharing and Utilizing S-BOMs for Security Scans

In the final paragraph, Anais discusses the use of S-BOMs (Software Bill of Materials) as a means to share and store information about the components of container images. She explains that S-BOMs, while not human-readable, can be used by various platforms and can also be pushed to container registries to enable Trivi to perform security scans on them. Anais invites viewers to provide feedback on the tutorial and the reporting feature, and to engage with the community through the provided Slack channel, GitHub discussions, or by leaving comments. She also includes links to the reporting documentation, JLS tool, and the Slack channel in the description for further reference.

Mindmap

Keywords

πŸ’‘Aqua Open Source

Aqua Open Source is the platform hosting the video channel where the tutorial takes place. It is a community focused on open source software and development. In the video, the host, Anais, introduces herself as an open source developer advocate at Aqua Security, indicating that the content is related to open source practices and tools.

πŸ’‘Trivy CLI

Trivy CLI is the command-line interface for the Trivy tool, which is used for scanning container images, file systems, and other resources for vulnerabilities and misconfigurations. The video is centered around demonstrating how to generate reports using the Trivy CLI, which is essential for security assessments in software development.

πŸ’‘Scan Results

Scan results refer to the output provided by the Trivy CLI after performing a security scan. These results typically include information about any vulnerabilities found. In the context of the video, the host discusses how to store these results long-term, which is crucial for tracking security issues over time.

πŸ’‘S3 Buckets

S3 Buckets are storage containers for data in Amazon Web Services (AWS). They are used to store and retrieve large amounts of data. The script mentions saving scan reports to S3 buckets as a method of long-term storage, which is important for historical analysis and compliance purposes.

πŸ’‘Configuration Scans

Configuration scans are a type of security analysis that checks for misconfigurations in software and infrastructure setups. In the video, the host shows how to perform a configuration scan using the Trivy CLI and how to generate reports from these scans, which helps in identifying and correcting security flaws in system configurations.

πŸ’‘JSON Format

JSON (JavaScript Object Notation) is a lightweight data interchange format that is easy for humans to read and write and for machines to parse and generate. The video explains how to generate scan reports in JSON format using the Trivy CLI, allowing for programmatic processing and integration with other tools.

πŸ’‘Custom Templates

Custom templates in the context of the video refer to user-defined formats for generating reports. These templates can be used with the Trivy CLI to create reports that include specific information tailored to the user's needs. The host mentions the ability to use custom templates to generate reports in various formats.

πŸ’‘SPDX

SPDX (Software Package Data Exchange) is a standard format for sharing information about the components and licenses of software packages. The video discusses generating SPDX reports using the Trivy CLI, which provides a detailed bill of materials for container images, useful for compliance and transparency.

πŸ’‘SBOM

SBOM stands for Software Bill of Materials. It is a list of all the components included in a software or system. The video explains how to generate an SBOM using the Trivy CLI, which is essential for understanding the composition of software and for supply chain security.

πŸ’‘GitHub

GitHub is a platform for version control and collaboration that is widely used by developers. The video mentions GitHub in the context of contributing to the Trivy project by giving it a star, as well as using GitHub Actions for automating tasks related to security scanning.

πŸ’‘Jless

Jless is a command-line JSON viewer that allows for the interactive exploration of JSON data. The video script mentions using Jless to view the JSON output from Trivy scans, making it easier to navigate and understand the scan results.

Highlights

Introduction to the Aqua open source YouTube channel and the role of the presenter, Anais, as an open source developer advocate at Aqua security.

Demonstration of generating different types of reports through the Trivy CLI for long-term storage and analysis.

Explanation of the default terminal output for Trivy scan results and the need for long-term storage solutions like AWS S3 buckets.

Instructions on ensuring Trivy is installed in the environment and how to upgrade to the latest version.

Overview of the different report formats supported by Trivy, including table, JSON, SARIF, custom templates, and S-BOMs.

Description of the table format as the default output for Trivy scans and its support across various scanners.

Guide on how to generate JSON format reports and store them in output files for further analysis.

Introduction to JLS, a command line JSON viewer, for a more organized and filterable view of scan results.

Use of Trivy config command for misconfiguration scanning and the ability to output results in JSON format.

Explanation of the SARIF format and its support in vulnerability, misconfiguration, and secret scanning.

Details on generating custom template reports and the available default templates like JUnit, ASFF, and HTML.

Discussion on S-BOMs, their purpose, and how they provide a list of components within a container image.

Instructions on generating S-BOMs in different formats like SPDX and CycloneDX for sharing and security scanning.

Invitation for viewers to provide feedback on the tutorial and suggest topics for future videos.

Call to action for viewers to give Trivy a star on GitHub and support the open source project.

Promotion of the Aqua security slack channel for community engagement and support.

Transcripts

play00:00

hello everybody and thank you so much

play00:01

for joining me here at the aqua open

play00:03

source YouTube channel my name is Anais

play00:05

I'm the open source developer Advocate

play00:07

at Aqua security now in this video I'm

play00:09

going to show you how you can generate

play00:11

different types of reports through the

play00:13

trivi CLI

play00:15

usually when you run a trivi CLI scan on

play00:18

your different resources you're provided

play00:20

with the scan results in your terminal

play00:22

or in your cicd pipeline however in many

play00:25

cases you would want to store those

play00:27

reports long term if I download them

play00:29

save them save them to S3 buckets in AWS

play00:33

or other long-term Solutions so you can

play00:35

go back in time add your different

play00:37

reports or if for example an upgrade to

play00:40

your application doesn't go as expected

play00:41

or the week after you find critical

play00:43

vulnerabilities you can again look at

play00:46

those scan results from trivia I'm going

play00:48

to show you how you can create different

play00:50

types of scans with trivet and generate

play00:53

basically different types of reports and

play00:56

I'm also going to show you the type of

play00:57

functionality that trivia currently

play00:59

doesn't support and that you would have

play01:01

to use other tools or for example act

play01:03

for Enterprise and other Enterprise

play01:04

solutions form

play01:06

now before you get started and you

play01:08

follow this tutorial you have to make

play01:09

sure that Trevi is actually installed in

play01:11

your environment now in this case

play01:12

install trivia inside of your terminal

play01:15

if it isn't already if it's already

play01:17

installed but you're at a later version

play01:18

and please upgrade your version here are

play01:20

the installation instructions you can

play01:21

find lots and lots of different

play01:23

installation instructions here for trivi

play01:25

now we can head over to our terminal and

play01:28

we can say Trevi version and check the

play01:31

version that's currently installed in

play01:33

this case I'm actually on the older

play01:34

version so I'm quickly going to upgrade

play01:36

it

play01:37

um Brew upgrade trivia

play01:40

and that should do the track

play01:43

every time I'm using Trevi they come up

play01:45

with a new version

play01:46

but lots of features are backwards

play01:48

compatible just keep that in mind

play01:50

if they are not backwards compatible you

play01:52

will find like an orange box in the

play01:54

documentation which is fym okay so now

play01:57

we have the new trivia version

play02:00

that we just released this week amazing

play02:03

we have everything set up nobody want to

play02:06

get started with our reporting feature

play02:08

so let's head over to docs with all of

play02:11

the documentation

play02:12

and we can head down and we find reports

play02:18

but reports is actually compliance

play02:20

reports which is not what we want to do

play02:23

or we want to create a reporting which

play02:26

is under configuration

play02:28

now as part of our reporting

play02:30

functionality we support different types

play02:32

of formats we've supported table format

play02:35

a Json format a Sarah format templates

play02:38

so also custom templates and s-bombs now

play02:41

the fifth option for our reporting is

play02:43

actually the table format which is the

play02:45

default format that you will receive the

play02:47

information the output of the scan in

play02:49

when you run a 2v scan so if we copy

play02:53

this command to perform a trivia image

play02:55

vulnerability scan on this Alpine image

play02:58

calling Alpine image then we see here if

play03:02

we use the table format if we specified

play03:05

if we want to have table format

play03:06

if we specified if we don't specify it

play03:08

either way we will receive

play03:10

the output of our different security

play03:13

issues of our vulnerabilities as a table

play03:15

format even if we don't specify

play03:19

that we want to have it in the table

play03:21

format it will still be displayed in the

play03:23

table format because that's the default

play03:24

it makes it easy to read all of your

play03:27

security issues click the link for more

play03:28

information now the table format is

play03:31

supported in vulnerability scans in

play03:32

misconfiguration scans secret scans

play03:34

license skins so also if you use trivia

play03:40

config or trivia file system command

play03:44

from configuration scans or trivializing

play03:47

scans you will receive the information

play03:49

in a table format so it's supported

play03:51

across these different scanners we have

play03:54

four different scanners interview now

play03:56

the next format that we support is the

play03:57

Json format you can specify that you

play04:00

want to have the format to be Json of

play04:02

the output result and then you can also

play04:05

specify for example an output file that

play04:07

you want to store the information in so

play04:09

let's say we first want to have

play04:12

the Json format displayed in our

play04:15

terminal

play04:16

so we're going to go ahead Json

play04:18

and now we've received a result not as a

play04:21

table but actually in Json

play04:24

this is the Json output of our different

play04:27

security issues of the container image

play04:28

what we can do next is we can actually

play04:30

store the information in an output file

play04:33

so you can say dash dash output or Dash

play04:36

o

play04:37

for output and we can say result.json

play04:41

and we can store the information in a

play04:43

result.json file

play04:48

now that results.json file is going to

play04:52

be in my local directory in that case

play04:53

that's where I save the term

play04:55

I can also specify a different path

play04:58

and here is my result.json file with all

play05:01

of the information if you enjoyed Trevi

play05:03

if you enjoyed trivia's functionality if

play05:05

you have been using trivia if you're

play05:06

just trying out trivia and you like it

play05:08

then please do consider giving us a star

play05:11

on GitHub no don't just consider it go

play05:13

down to the description there's a link

play05:14

to the repository click on the link

play05:16

click on the star and GitHub to the

play05:18

repository it would mean so much to

play05:20

myself as well as to all of the

play05:22

contributors that make this tool

play05:24

possible thank you

play05:26

now at this point let me tell you about

play05:28

a really cool tool called J less JLS is

play05:32

a command line Json viewer and here's

play05:35

what you can do with it you basically

play05:37

take the previous command where you say

play05:40

the format should be Json

play05:42

and then you perform the scale like

play05:43

usual now this would produce this would

play05:46

produce the Json output right and that's

play05:48

what we store it actually in a file in

play05:49

our results dot Json file now you can

play05:52

pipe the result also into JLS

play05:55

and then JLS allows you to really neatly

play05:58

view the output so you can then click

play06:02

through the different output options so

play06:04

for example if you're not interested in

play06:05

metadata on the other information you

play06:07

can just head straight over to results

play06:09

here your vulnerabilities

play06:12

and in other scans we will get to that I

play06:16

can show you that in a second as well in

play06:17

other skins you wouldn't you can not

play06:20

only like view the vulnerabilities but

play06:21

then you can filter also of the

play06:23

vulnerabilities misconfigurations and so

play06:25

on so JLS is a really amazing tool that

play06:28

allows you to filter through the

play06:29

different vulnerabilities

play06:31

so for instance in the directory above I

play06:34

have a bad infrastructures code

play06:36

directory with several different files

play06:38

on terraform on Docker and Docker file

play06:40

and other things

play06:41

so I want to scan that now for Miss

play06:44

configurations I do that with the trivia

play06:46

config command and the output is then I

play06:49

want to have it as Json right in a Json

play06:51

format and I can pipe it also into JLS

play06:53

now this is going to perform the scan

play06:55

this configuration scanning is enabled

play06:57

it will look for one abilities it will

play06:59

look for other things so I can then go

play07:01

through the different results

play07:03

misconfigurations

play07:06

different types of misconfigurations and

play07:08

I can view them as well so for example I

play07:11

have here the misconfigurations

play07:14

darker file

play07:16

and I can see without going into the

play07:19

detail necessarily directly oh there are

play07:21

lots of issues

play07:23

um I can just see the different types of

play07:26

issues right here it makes it a lot

play07:28

easier to filter through the results

play07:32

now the Json format is also supported in

play07:34

vulnerability scanning misconfiguration

play07:36

scanning secret scanning and license

play07:38

scanning

play07:39

next we have the serif format the serif

play07:43

format is supported in vulnerability

play07:44

scanning misconfiguration scanning and

play07:46

secret scanning but not in license

play07:47

scanning at its similar process which is

play07:51

specified dash dash format serif or just

play07:55

Dash F7

play07:57

and then we can run netscan as well

play08:01

but get the result as a report.serif

play08:04

format so if we now open our report.7

play08:07

format it's right here here's our Json

play08:09

from before and here's now our serif

play08:11

report as well

play08:14

now the server format can also be

play08:16

uploaded to the GitHub code scanning

play08:17

results and there's a trivi GitHub

play08:20

action for that so do check that out if

play08:22

you're curious on how to do that so next

play08:24

up you could also specify a custom

play08:26

template either a custom template that

play08:28

you actually want to set up

play08:30

that provides you with certain

play08:32

information

play08:33

or you could also use one of our default

play08:35

templates load a template from a file a

play08:37

similar so as part of our default

play08:39

templates we have junit asff and HTML so

play08:43

you could also produce reports through

play08:45

those custom templates so the last

play08:47

reporting format that I want to show you

play08:49

is s-bomb s-pom are also generated

play08:52

through the dash format command so we

play08:54

have Cyclone DX and is PDX formats and

play08:57

you can for example create spdx.json or

play09:00

the the format Cyclone DX now you would

play09:04

specify

play09:06

the container image that you want to

play09:08

generate the s-bomb for and s-bomb

play09:09

stands for software builds of material

play09:11

and it basically provides you with a

play09:14

list of all of the different components

play09:15

of that container image so if we say

play09:19

trivia image and then we provide format

play09:23

spdx Json output is result spdx

play09:29

and it's over there and then we just

play09:32

need our container image from the

play09:35

previous step

play09:41

Alpine image

play09:45

we're gonna run this command and this is

play09:47

going to generate as a file with the

play09:49

s-pom output of our container image

play09:52

which is also type of reports that you

play09:55

can generate as s-bombs can be easily

play09:57

shared between different entities to

play09:59

showcase the components that are in your

play10:02

resources in your development resources

play10:08

and then we can find the Aspen here now

play10:11

s-bombs are not supposed to be human

play10:13

readable however you can provide that to

play10:16

different platforms and then also store

play10:18

the s-bomb shiny s bomb you can also

play10:20

push the s-bomb to your container

play10:23

registry and that will allow for example

play10:25

trivia to perform security scans

play10:27

vulnerability scans not on a container

play10:29

image directly but on the s-bomb as well

play10:31

there are lots of different options and

play10:33

as I just said you have a look at that

play10:35

also let me know what kind of options

play10:36

you would like to see in a different

play10:38

tutorial as always I really hope this

play10:41

video was useful if it was please do

play10:43

give it a thumbs up and subscribe to our

play10:45

channel for upcoming videos for live

play10:46

streams as well as tutorials do let me

play10:48

know in the comments what kind of videos

play10:50

what kind of tutorials you would like to

play10:52

see on trivia and Tracy also link below

play10:55

in the description is first of all the

play10:56

link to our reporting documentation then

play10:59

the link to jail as the com the tool the

play11:01

Json tool I've showed you as well and

play11:04

then also the link to our slack Channel

play11:06

if you have any questions do post them

play11:07

in the respect of slack channel in our

play11:09

slack Community or start a GitHub action

play11:12

or a GitHub discussion uh we would love

play11:15

to hear your feedback on the

play11:16

documentation as well as on the way that

play11:19

you're using our reporting feature thank

play11:21

you so much for watching and I hope to

play11:22

see you on one of our next videos bye

play11:24

bye

Browse More Related Video

All-In-One Open Source Security Scanner | Docker Image Analysis with Trivy

Ollama-Run large language models Locally-Run Llama 2, Code Llama, and other models

Fabric: Opensource AI Framework That Can Automate Your Life!

How to Build Custom AI Chatbots πŸ”₯(No Code)

SMT 2-5 Port Scan

Diagrams.net Tutorial For Beginners - How To Use Draw.io

Rate This
β˜…
β˜…
β˜…
β˜…
β˜…

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
Related Tags
Trivy CLISecurity ReportsVulnerability ScansOpen SourceContainer SecurityCompliance ReportsJson ViewerGitHub ActionsCycloneDXSPDX