Boosting DevOps Security: A Beginner’s Guide to Integrating Trivy with Jenkins”
🔒 In the world of cybersecurity, finding and fixing vulnerabilities is like putting on your detective hat and preventing bad things from happening. It’s a crucial task to identify and address security risks before they get taken advantage of.
That’s where Trivy comes in! 🕵️♂️ It’s a popular tool for finding vulnerabilities, and the best part? It’s super easy to use! Trivy is an open-source vulnerability scanner with a complete database of security vulnerabilities.
So get ready to level up your security game with Trivy and Jenkins. Let’s dive in and make vulnerability testing an easy and effective part of your DevOps journey! 💪
Why Trivy?
We use Trivy to perform a vulnerability scan in our CI/CD pipeline.
Before I deploy a new image to my system, It’s important to make sure there are no security weaknesses or outdated packages in the container that could be used by hackers to break into my system.
About Trivy?
Trivy has scanners that look for security issues, and targets where it can find those issues.
Targets (what Trivy can scan):
- Container Image
- Filesystem
- Git Repository (remote)
- Virtual Machine Image
- Kubernetes
- AWS
Scanners (what Trivy can find there):
- OS packages and software dependencies in use (SBOM)
- Known vulnerabilities (CVEs)
- IaC issues and misconfigurations
- Sensitive information and secrets
- Software licenses
How to use Trivy?📝
In this article, we will utilize Trivy with Docker to scan Docker images before the build step.
Here’s an example command using Trivy to scan a single image : openjdk:8-jdk-alpine
$docker run --rm -v $WORKSPACE:/root/.cache/ aquasec/trivy:0.17.2 -q image --exit-code 1 --severity CRITICAL --light openjdk:8-jdk-alpine
The output of the scan :
Here’s a breakdown of the command and its components:
docker run
: Executes a Docker container.--rm
: Automatically removes the container after it finishes running, ensuring a clean environment.-v $WORKSPACE:/root/.cache/
: Mounts the$WORKSPACE
directory from the host into the container's cache directory, allowing Trivy to store and access cached data for faster subsequent scans.aquasec/trivy:0.17.2
: Specifies the Trivy container image and its version to run.-q image
: Performs an image vulnerability scan in a quiet mode, suppressing unnecessary output.--exit-code 1
: Sets the exit code to 1 if vulnerabilities are found, allowing you to programmatically determine if the scan detected critical vulnerabilities.--severity CRITICAL
: Specifies the severity level asCRITICAL
, indicating that Trivy should focus on vulnerabilities with a critical severity level.--light
: Uses the light mode for vulnerability detection, which may reduce the scan time but might result in potential false negatives.
By executing this command, Trivy will analyze the specified Docker image for vulnerabilities. If any critical vulnerabilities are detected, the exit code will be set to 1, indicating a failed scan.
CI/CD pipeline JENKINS + Trivy (bash script)
This is an example of when I use trivy in Jenkins pipeline.
To integrate Trivy into your CI/CD pipeline using Jenkins and a bash script, you can follow these steps:
1-dockerfile
2-prepare the script shell to be used trivy-image-scan.sh
3-Add a new stage on you’re Jenkinsfile
— — — — — — — — — — — — — —
1 dockerfile
FROM openjdk:8-jdk-alpine
EXPOSE 8080
ARG JAR_FILE=target/*.jar
ADD ${JAR_FILE} app.jar
ENTRYPOINT ["java","-jar","/app.jar"]
2 — Script: trivy-image-scan.sh
2–1 generate token from GitHub
https://github.com/settings/tokens
trivy-image-scan.sh
#!/bin/bash
#get the image name from Dockerfile file
dockerImageName=$(awk 'NR==1 {print $2}' Dockerfile)
echo $dockerImageName
#-e TRIVY_GITHUB_TOKEN=$token: Sets an environment variable TRIVY_GITHUB_TOKEN with the provided token value. This is used to access private GitHub repositories during vulnerability scanning.
docker run --rm -v $WORKSPACE:/root/.cache/ -e TRIVY_GITHUB_TOKEN='token_github' aquasec/trivy:0.17.2 -q image --exit-code 1 --severity CRITICAL --light $dockerImageName
# Trivy scan result processing
exit_code=$?
echo "Exit Code : $exit_code"
# Check scan results
if [[ "${exit_code}" == 1 ]]; then
echo "Image scanning failed. Vulnerabilities found"
exit 1;
else
echo "Image scanning passed. No CRITICAL vulnerabilities found"
fi;
3— Add a new stage on you’re Jenkinsfile
pipeline {
agent any
stages {
stage('Vulnerability Scan - Docker Trivy') {
steps {
//--------------------------replace variable token_github on file trivy-image-scan.sh
withCredentials([string(credentialsId: 'trivy_github_token', variable: 'TOKEN')]) {
sh "sed -i 's#token_github#${TOKEN}#g' trivy-image-scan.sh"
sh "sudo bash trivy-image-scan.sh"
}
}
}
}
When we execute the pipeline, here is the outcome/result:
As you can see, the script has found 4 critical vulnerabilities, and the “Exit code” is set to 1 to stop the next steps, like the build, from running.
This is done to make sure that we don’t proceed with potentially insecure code until the vulnerabilities are fixed.
Hope this will help!
if you like my article :
NHAILA Achraf
#devsecops #devops #trivy #jenkins #ci/cd #Security Scanning #vulnerability-scanning #Security