Integration with CI Tools

Integration with a continuous integration (CI) tool is a good idea to avoid the need for manual vulnerability scanning. In addition to GitLab CI, you can use GitHub Actions, Circle CI, Travis CI, Bitbucket Pipelines, AWS CodePipeline, and AWS Security Hub. The documentation again helps you get started.

The configuration is particularly easy with GitLab version 15.0 and higher, because Trivy integration is already included in the product – even in the free version. To enable it, simply add the CI template to the gitlab-ci.yml file:

include:
  - template: Security/Container-Scanning.gitlab-ci.yml

You can then examine the scan results in the container builder.

What's in the Software

Support for the SBOM is a relatively new addition to Trivy. The aim is to deliver an overview of all the components, libraries, and other artifacts used in the software under investigation. SBOMs offer many advantages to security teams, as is quite apparent, for example, by the well-known vulnerability in Log4j. With an automated process for setting up SBOMs, you can get straight down to fixing the vulnerability instead of wasting time finding out if a library is actually in use.

The best known formats for SBOMs are SPDX from the Linux Foundation and CycloneDX from the Open Web Application Security Project (OWASP). To create a BOM, enter the command:

trivy image --format cyclonedx --output result.json alpine:3.15

The Sigstore project and the Cosign [4] tool were introduced to make sure that BOMs are trustworthy, making it easy to sign and verify artifacts with OAuth 2. The artifacts created by Cosign are known as attestations (Figure 2). If you already have an account with a supported provider (e.g., Google, GitHub, Microsoft), you can use Cosign to sign an SBOM as follows:

trivy image --format spdx -o sbom.spdx <IMAGE>
COSIGN_EXPERIMENTAL=1 cosign attest --type spdx --predicate sbom.spdx <IMAGE>

Figure 2: Still experimental, but potentially very valuable: scanning cloud resources with Trivy.

The command

COSIGN_EXPERIMENTAL=1 cosign verify-attestation <IMAGE>

checks attestations.

Conclusions

Many companies still approach security in cloud-native environments relatively casually. The required skills are often missing or the implementation just looks too complex. Now, however, Trivy gives you a useful open source tool. It is easy to use and offers a wide range of features, which means it can be used throughout the software life cycle of development, CI processes, operation, and monitoring.