Trivy

Trivy 개요

Trivy는 컨테이너 이미지를 분석하여 취약점, 악성 소프트웨어, 정책 위반 등을 식별하고 보고하는 도구이다.

 

<특징>

• Container Images, Git Repositories, Filesystem 같은 항목들을 스캐닝 하고, 문제점을 빠르게 요약해서 보여준다.
• Kubernetes 대시보드, Aqua 대시보드 등 GUI로 확인 가능하다.

 

Trivy 실행하기

# 기본 시행 명령어 

$ trivy {image 이름}

 

# 특정 수준만 체크하기 정의 

 $trivy repo --quiet --severity CRITICAL {image 이름}

# 기본 시행 명령어 
trivy {image 이름}


# 특정 수준만 체크하기 정의 
trivy repo --quiet --severity CRITICAL {image 이름}

 

Trivy 실행 예시

이미지 찾기

controlplane $ k -n applications get pods 
NAME                   READY   STATUS    RESTARTS   AGE
web1-d89b7f6bb-2d9dq   1/1     Running   0          7m19s
web1-d89b7f6bb-jjn2v   1/1     Running   0          7m19s
web2-8d7c8c6d8-c95cx   1/1     Running   0          7m19s



controlplane $ k -n infra get pods       
NAME                       READY   STATUS    RESTARTS   AGE
inf-hjk-669bd4f9fb-4ldkx   1/1     Running   0          7m39s
inf-hjk-669bd4f9fb-dl976   1/1     Running   0          7m39s
inf-hjk-669bd4f9fb-ttq56   1/1     Running   0          7m39s

 

trivy로 이미지 검색하기

controlplane $ trivy nginx:1.19.1-alpine-perl grep CVE-2021-28831 -C 3
2024-02-11T21:38:46.159Z        WARN    The root command will be removed. Please migrate to 'trivy image' command. See https://github.com/aquasecurity/trivy/discussions/1515
2024-02-11T21:38:46.159Z        ERROR   multiple targets cannot be specified
2024-02-11T21:38:46.160Z        FATAL   option error: option initialize error: arguments error

 

controlplane $ trivy nginx:1.20.2-alpine  grep CVE-2021-28831 -C 3
2024-02-11T21:39:36.693Z        WARN    The root command will be removed. Please migrate to 'trivy image' command. See https://github.com/aquasecurity/trivy/discussions/1515
2024-02-11T21:39:36.693Z        ERROR   multiple targets cannot be specified
2024-02-11T21:39:36.694Z        FATAL   option error: option initialize error: arguments error

 

controlplane $ trivy httpd:2.4.39-alpine  CVE-2016-9841 -C 3
2024-02-11T21:40:16.731Z        WARN    The root command will be removed. Please migrate to 'trivy image' command. See https://github.com/aquasecurity/trivy/discussions/1515
2024-02-11T21:40:16.732Z        ERROR   multiple targets cannot be specified
2024-02-11T21:40:16.732Z        FATAL   option error: option initialize error: arguments error

 

 

문제된 image의 파드 개수를 0으로 만들기

controlplane $ k -n applications scale deployments.apps web1 --replicas 0
deployment.apps/web1 scaled

 

controlplane $ k -n applications scale deployments.apps web2 --replicas 0
deployment.apps/web2 scaled

 

controlplane $ k -n  infra scale deployment inf-hjk --replicas 0
deployment.apps/inf-hjk scaled

 

참고 URL

https://trivy.dev/ 

https://killercoda.com/killer-shell-cks/scenario/image-vulnerability-scanning-trivy