Generating scan reports with Trivy
Summary
TLDRIn this Aqua Open Source video, Anais, an open source developer advocate at Aqua Security, demonstrates how to generate various reports using the Trivy CLI. She explains the process of storing scan results for long-term analysis and showcases different report formats, including table, JSON, SARIF, custom templates, and S-BOMs. The tutorial also covers the installation and upgrading of Trivy, and highlights the use of JLS for viewing JSON output. Anais encourages viewers to contribute to the project on GitHub and explore additional tools for enhanced scanning capabilities.
Takeaways
- 😀 Anais, an open source developer advocate at Aqua Security, introduces the video on generating reports with Trivy CLI.
- 🔍 Trivy CLI is used for scanning resources and typically provides results in the terminal or CI/CD pipeline.
- 💾 The video demonstrates how to store Trivy scan reports long-term, such as in S3 buckets for historical analysis and comparison.
- 🛠️ The tutorial requires Trivy to be installed or updated to the latest version using the provided installation instructions.
- 📊 Trivy supports various report formats including table, JSON, SARIF, custom templates, and SPDX.
- 📝 The default report format is table, which is easy to read and supported across vulnerability, misconfiguration, secret, and license scans.
- 📄 JSON format can be displayed in the terminal and saved to an output file, facilitating further processing and analysis.
- 📈 JLS (JSON Lines - Less) is highlighted as a tool for viewing JSON output neatly and filtering through results.
- 📑 SARIF format is suitable for uploading to GitHub Code Scanning and can be generated using Trivy with a specific command.
- 🛠️ Custom templates can be used to tailor the report output to specific needs, with examples like JUnit, ASFF, and HTML provided.
- 🔗 S-BOM (Software Bill of Materials) can be generated in formats like SPDX and CycloneDX, useful for sharing component lists and integrating with container registries.
Q & A
What is the main topic of the video?
-The main topic of the video is demonstrating how to generate different types of reports through the Trivy CLI for various scans.
Who is the presenter of the video?
-Anais is the presenter of the video and the open source developer advocate at Aqua Security.
Why might someone want to store Trivy scan reports long-term?
-Storing Trivy scan reports long-term allows for historical analysis, comparison over time, and reference in case of issues arising after application upgrades.
What are some of the formats supported for Trivy scan reports?
-Trivy supports report formats such as table, JSON, SARIF, custom templates, and S-BOMs (Software Bill of Materials).
How can one check the version of Trivy installed in their environment?
-To check the version of Trivy, one can use the command 'trivy version' in their terminal.
What does the table format in Trivy provide?
-The table format provides an easy-to-read display of security issues or vulnerabilities found during a scan.
How can one view the JSON output of a Trivy scan in a more user-friendly manner?
-One can pipe the JSON output into a tool like JLS (JSON Lines -l), which allows for a more organized and navigable view of the scan results.
What is the purpose of the SARIF format in Trivy scans?
-The SARIF (Static Analysis Results Interchange Format) is used for integrating Trivy scan results into other tools and platforms that support this format for security analysis.
How can Trivy scan results be shared or used in GitHub code scanning?
-Trivy scan results can be saved in SARIF format and uploaded to GitHub code scanning, and there is a Trivy GitHub action available for this purpose.
What does S-BOM stand for and what information does it provide?
-S-BOM stands for Software Bill of Materials, and it provides a list of all the different components within a container image or software package.
How can one contribute to the Trivy project or get support?
-One can contribute to the Trivy project by starring the repository on GitHub, joining the Slack community, or starting a GitHub discussion for support and feedback.
Outlines
📊 Generating and Storing Trivi CLI Scan Reports
In this paragraph, Anais, an open source developer advocate at Aqua Security, introduces the tutorial's focus on using Trivi CLI to generate various types of scan reports. She explains that while Trivi typically provides scan results in the terminal, there are scenarios where users might want to store these reports for long-term analysis, such as in S3 buckets in AWS. Anais provides a brief on the importance of version control with Trivi, ensuring users have the latest version installed, and guides them through the process of checking and upgrading Trivi if necessary. She also outlines the different report formats supported by Trivi, such as table, JSON, SARIF, custom templates, and S-BOMs, and how they can be utilized across various scan types including vulnerability, misconfiguration, secret, and license scans.
🌟 Enhancing Trivi Scan Output with JLS and Custom Reporting
Anais encourages viewers to support Trivi by starring its GitHub repository and introduces JLS, a command-line JSON viewer, as a tool to enhance the readability of Trivi's JSON scan output. She demonstrates how to pipe Trivi's scan results into JLS for a more organized view and how to filter through different issues found during scans. The paragraph also covers the use of different report formats like SARIF, custom templates including JUnit, ASFF, and HTML, and S-BOMs with CycloneDX and SPDX formats. Anais explains the process of generating these reports and how they can be shared and utilized in different platforms, including GitHub Code Scanning and container registries, to showcase the components of container images.
🔗 Sharing and Utilizing S-BOMs for Security Scans
In the final paragraph, Anais discusses the use of S-BOMs (Software Bill of Materials) as a means to share and store information about the components of container images. She explains that S-BOMs, while not human-readable, can be used by various platforms and can also be pushed to container registries to enable Trivi to perform security scans on them. Anais invites viewers to provide feedback on the tutorial and the reporting feature, and to engage with the community through the provided Slack channel, GitHub discussions, or by leaving comments. She also includes links to the reporting documentation, JLS tool, and the Slack channel in the description for further reference.
Mindmap
Keywords
💡Aqua Open Source
💡Trivy CLI
💡Scan Results
💡S3 Buckets
💡Configuration Scans
💡JSON Format
💡Custom Templates
💡SPDX
💡SBOM
💡GitHub
💡Jless
Highlights
Introduction to the Aqua open source YouTube channel and the role of the presenter, Anais, as an open source developer advocate at Aqua security.
Demonstration of generating different types of reports through the Trivy CLI for long-term storage and analysis.
Explanation of the default terminal output for Trivy scan results and the need for long-term storage solutions like AWS S3 buckets.
Instructions on ensuring Trivy is installed in the environment and how to upgrade to the latest version.
Overview of the different report formats supported by Trivy, including table, JSON, SARIF, custom templates, and S-BOMs.
Description of the table format as the default output for Trivy scans and its support across various scanners.
Guide on how to generate JSON format reports and store them in output files for further analysis.
Introduction to JLS, a command line JSON viewer, for a more organized and filterable view of scan results.
Use of Trivy config command for misconfiguration scanning and the ability to output results in JSON format.
Explanation of the SARIF format and its support in vulnerability, misconfiguration, and secret scanning.
Details on generating custom template reports and the available default templates like JUnit, ASFF, and HTML.
Discussion on S-BOMs, their purpose, and how they provide a list of components within a container image.
Instructions on generating S-BOMs in different formats like SPDX and CycloneDX for sharing and security scanning.
Invitation for viewers to provide feedback on the tutorial and suggest topics for future videos.
Call to action for viewers to give Trivy a star on GitHub and support the open source project.
Promotion of the Aqua security slack channel for community engagement and support.
Transcripts
hello everybody and thank you so much
for joining me here at the aqua open
source YouTube channel my name is Anais
I'm the open source developer Advocate
at Aqua security now in this video I'm
going to show you how you can generate
different types of reports through the
trivi CLI
usually when you run a trivi CLI scan on
your different resources you're provided
with the scan results in your terminal
or in your cicd pipeline however in many
cases you would want to store those
reports long term if I download them
save them save them to S3 buckets in AWS
or other long-term Solutions so you can
go back in time add your different
reports or if for example an upgrade to
your application doesn't go as expected
or the week after you find critical
vulnerabilities you can again look at
those scan results from trivia I'm going
to show you how you can create different
types of scans with trivet and generate
basically different types of reports and
I'm also going to show you the type of
functionality that trivia currently
doesn't support and that you would have
to use other tools or for example act
for Enterprise and other Enterprise
solutions form
now before you get started and you
follow this tutorial you have to make
sure that Trevi is actually installed in
your environment now in this case
install trivia inside of your terminal
if it isn't already if it's already
installed but you're at a later version
and please upgrade your version here are
the installation instructions you can
find lots and lots of different
installation instructions here for trivi
now we can head over to our terminal and
we can say Trevi version and check the
version that's currently installed in
this case I'm actually on the older
version so I'm quickly going to upgrade
it
um Brew upgrade trivia
and that should do the track
every time I'm using Trevi they come up
with a new version
but lots of features are backwards
compatible just keep that in mind
if they are not backwards compatible you
will find like an orange box in the
documentation which is fym okay so now
we have the new trivia version
that we just released this week amazing
we have everything set up nobody want to
get started with our reporting feature
so let's head over to docs with all of
the documentation
and we can head down and we find reports
but reports is actually compliance
reports which is not what we want to do
or we want to create a reporting which
is under configuration
now as part of our reporting
functionality we support different types
of formats we've supported table format
a Json format a Sarah format templates
so also custom templates and s-bombs now
the fifth option for our reporting is
actually the table format which is the
default format that you will receive the
information the output of the scan in
when you run a 2v scan so if we copy
this command to perform a trivia image
vulnerability scan on this Alpine image
calling Alpine image then we see here if
we use the table format if we specified
if we want to have table format
if we specified if we don't specify it
either way we will receive
the output of our different security
issues of our vulnerabilities as a table
format even if we don't specify
that we want to have it in the table
format it will still be displayed in the
table format because that's the default
it makes it easy to read all of your
security issues click the link for more
information now the table format is
supported in vulnerability scans in
misconfiguration scans secret scans
license skins so also if you use trivia
config or trivia file system command
from configuration scans or trivializing
scans you will receive the information
in a table format so it's supported
across these different scanners we have
four different scanners interview now
the next format that we support is the
Json format you can specify that you
want to have the format to be Json of
the output result and then you can also
specify for example an output file that
you want to store the information in so
let's say we first want to have
the Json format displayed in our
terminal
so we're going to go ahead Json
and now we've received a result not as a
table but actually in Json
this is the Json output of our different
security issues of the container image
what we can do next is we can actually
store the information in an output file
so you can say dash dash output or Dash
o
for output and we can say result.json
and we can store the information in a
result.json file
now that results.json file is going to
be in my local directory in that case
that's where I save the term
I can also specify a different path
and here is my result.json file with all
of the information if you enjoyed Trevi
if you enjoyed trivia's functionality if
you have been using trivia if you're
just trying out trivia and you like it
then please do consider giving us a star
on GitHub no don't just consider it go
down to the description there's a link
to the repository click on the link
click on the star and GitHub to the
repository it would mean so much to
myself as well as to all of the
contributors that make this tool
possible thank you
now at this point let me tell you about
a really cool tool called J less JLS is
a command line Json viewer and here's
what you can do with it you basically
take the previous command where you say
the format should be Json
and then you perform the scale like
usual now this would produce this would
produce the Json output right and that's
what we store it actually in a file in
our results dot Json file now you can
pipe the result also into JLS
and then JLS allows you to really neatly
view the output so you can then click
through the different output options so
for example if you're not interested in
metadata on the other information you
can just head straight over to results
here your vulnerabilities
and in other scans we will get to that I
can show you that in a second as well in
other skins you wouldn't you can not
only like view the vulnerabilities but
then you can filter also of the
vulnerabilities misconfigurations and so
on so JLS is a really amazing tool that
allows you to filter through the
different vulnerabilities
so for instance in the directory above I
have a bad infrastructures code
directory with several different files
on terraform on Docker and Docker file
and other things
so I want to scan that now for Miss
configurations I do that with the trivia
config command and the output is then I
want to have it as Json right in a Json
format and I can pipe it also into JLS
now this is going to perform the scan
this configuration scanning is enabled
it will look for one abilities it will
look for other things so I can then go
through the different results
misconfigurations
different types of misconfigurations and
I can view them as well so for example I
have here the misconfigurations
darker file
and I can see without going into the
detail necessarily directly oh there are
lots of issues
um I can just see the different types of
issues right here it makes it a lot
easier to filter through the results
now the Json format is also supported in
vulnerability scanning misconfiguration
scanning secret scanning and license
scanning
next we have the serif format the serif
format is supported in vulnerability
scanning misconfiguration scanning and
secret scanning but not in license
scanning at its similar process which is
specified dash dash format serif or just
Dash F7
and then we can run netscan as well
but get the result as a report.serif
format so if we now open our report.7
format it's right here here's our Json
from before and here's now our serif
report as well
now the server format can also be
uploaded to the GitHub code scanning
results and there's a trivi GitHub
action for that so do check that out if
you're curious on how to do that so next
up you could also specify a custom
template either a custom template that
you actually want to set up
that provides you with certain
information
or you could also use one of our default
templates load a template from a file a
similar so as part of our default
templates we have junit asff and HTML so
you could also produce reports through
those custom templates so the last
reporting format that I want to show you
is s-bomb s-pom are also generated
through the dash format command so we
have Cyclone DX and is PDX formats and
you can for example create spdx.json or
the the format Cyclone DX now you would
specify
the container image that you want to
generate the s-bomb for and s-bomb
stands for software builds of material
and it basically provides you with a
list of all of the different components
of that container image so if we say
trivia image and then we provide format
spdx Json output is result spdx
and it's over there and then we just
need our container image from the
previous step
Alpine image
we're gonna run this command and this is
going to generate as a file with the
s-pom output of our container image
which is also type of reports that you
can generate as s-bombs can be easily
shared between different entities to
showcase the components that are in your
resources in your development resources
and then we can find the Aspen here now
s-bombs are not supposed to be human
readable however you can provide that to
different platforms and then also store
the s-bomb shiny s bomb you can also
push the s-bomb to your container
registry and that will allow for example
trivia to perform security scans
vulnerability scans not on a container
image directly but on the s-bomb as well
there are lots of different options and
as I just said you have a look at that
also let me know what kind of options
you would like to see in a different
tutorial as always I really hope this
video was useful if it was please do
give it a thumbs up and subscribe to our
channel for upcoming videos for live
streams as well as tutorials do let me
know in the comments what kind of videos
what kind of tutorials you would like to
see on trivia and Tracy also link below
in the description is first of all the
link to our reporting documentation then
the link to jail as the com the tool the
Json tool I've showed you as well and
then also the link to our slack Channel
if you have any questions do post them
in the respect of slack channel in our
slack Community or start a GitHub action
or a GitHub discussion uh we would love
to hear your feedback on the
documentation as well as on the way that
you're using our reporting feature thank
you so much for watching and I hope to
see you on one of our next videos bye
bye
浏览更多相关视频
All-In-One Open Source Security Scanner | Docker Image Analysis with Trivy
Ollama-Run large language models Locally-Run Llama 2, Code Llama, and other models
Fabric: Opensource AI Framework That Can Automate Your Life!
How to Build Custom AI Chatbots 🔥(No Code)
SMT 2-5 Port Scan
Diagrams.net Tutorial For Beginners - How To Use Draw.io
5.0 / 5 (0 votes)