Blog
Secure Docker container creation in CI/CD pipelines with Trivy vulnerability scanner
In today’s software development landscape, security is paramount. With the rise of containerization, ensuring the security of Docker images is essential to protect against vulnerabilities and potential exploits. CI/CD pipelines provide a robust platform for automating software delivery. Integrating security scanning tools like Trivy fortifies your container creation process. In this blog post, we’ll explore how to improve the security of Docker containers in CI/CD pipelines using Trivy.
Why Secure Docker containers matter
Docker containers offer numerous benefits, including portability, scalability, and consistency across environments. But they also present security challenges. Vulnerabilities within container images can expose applications to various risks, such as data breaches, system compromises, or service disruptions. That’s why it’s crucial to address security concerns throughout the complete container lifecycle, from development to deployment.
Introducing Trivy
Trivy is an open-source vulnerability scanner for containers and other artifacts, designed to quickly identify security issues within images. By using Trivy in your CI/CD pipelines, you can automate vulnerability assessments and ensure that only secure container images are deployed into production environments.
Integrating Trivy into CI/CD pipelines
CI/CD pipelines offer a flexible and customizable approach to software delivery. By adding Trivy to your pipelines, you can seamlessly integrate vulnerability scanning into your container creation process. Here’s an overview of how you can do this:
- Install Trivy: Start by installing Trivy in your CI/CD environment. You can either use Trivy as a standalone tool or incorporate it into a Docker container for easier integration.
- Configure pipeline: Set up a CI/CD pipeline for building Docker images. This pipeline should include stages for image creation, scanning with Trivy, and deployment.
- Integrate Trivy scan: Add a step to your pipeline to execute Trivy and scan the Docker image for vulnerabilities. Trivy can be invoked through a simple command line interface, making it easy to incorporate into your pipeline scripts.
- Analyze results: After the Trivy scan is complete, analyze the results to identify any vulnerabilities discovered. Trivy provides detailed reports, including information on the severity of each vulnerability and recommendations for mitigation.
- Fail build on vulnerabilities: To enforce security standards, configure your pipeline to fail if any critical vulnerabilities are found during the Trivy scan. This ensures that only images that pass the Trivy scan are promoted to production.
Setting up an Azure DevOps pipeline
Create a YAML pipeline in Azure DevOps to build a Docker image, scan it with Trivy, and push it to a container registry if no vulnerabilities are detected.
Step 1: Create a new pipeline
- Log in to your Azure DevOps account and navigate to your project.
- Go to “Pipelines” > “New Pipeline” and select “Azure Repos Git” as your source.
Step 2: Define the YAML pipeline
Replace <YourContainerRegistry> and <YourDockerfile> with your actual container registry and Dockerfile names.
((Codeblock begin))
trigger:
– main
pool:
vmImage: ‘ubuntu-latest’
steps:
– task: Docker@2
displayName: ‘Build Docker image’
inputs:
command: ‘build’
dockerfile: ‘<YourDockerfile>’
tags: ‘latest’
repository: ‘<YourContainerRegistry>/<YourImageName>’
((Codeblock end))
Step 3: Add Trivy scanning
Add a step to your pipeline to run Trivy and scan your Docker image for vulnerabilities.
- Add the Trivy scanning step after building the Docker image:
((Codeblock begin))
– task: Bash@3
displayName: ‘Run Trivy vulnerability scan’
inputs:
targetType: ‘inline’
script: |
# Install Trivy
Wget https://github.com/aquasecurity/trivy/releases/download/v0.49.1/trivy_0.49.1_Linux-64bit.tar.gz
tar zxvf trivy_0.49.1_Linux-64bit.tar.gz
sudo mv trivy /usr/local/bin/trivy
rm trivy_0.49.1_Linux-64bit.tar.gz
# Run Trivy scan
trivy image –severity HIGH,CRITICAL –exit-code 1 <YourContainerRegistry>/<YourImageName>:latest
((Codeblock end))
In the scanning step, configure Trivy to close the scanning with exit code 1 if a high or critical vulnerability is found in the container. Exit code 1 lets Azure pipeline fail the step and stops pipeline execution. Trivy shows logs on findings and suggests fixed library versions.
Step 4: Add Docker push
Add a step to your pipeline to push the docker image to the container registry. This step would only run if no vulnerabilities are found by Trivy.
- Add the Docker push step after the Trivy scan:
((Codeblock begin))
– task: Docker@2
displayName: ‘Push Docker image to Container Registry’
inputs:
command: ‘push’
tags: ‘latest’
repository: ‘<YourContainerRegistry>/<YourImageName>’
((Codeblock end))
Complete YAML Pipeline
Here’s the complete YAML pipeline with Trivy scanning:
((Codeblock begin))
trigger:
– main
pool:
vmImage: ‘ubuntu-latest’
steps:
– task: Docker@2
displayName: ‘Build Docker image’
inputs:
command: ‘build’
dockerfile: ‘<YourDockerfile>’
tags: ‘latest’
repository: ‘<YourContainerRegistry>/<YourImageName>’
– task: Bash@3
displayName: ‘Run Trivy vulnerability scan’
inputs:
targetType: ‘inline’
script: |
# Install Trivy
wget https://github.com/aquasecurity/trivy/releases/download/v0.49.1/trivy_0.49.1_Linux-64bit.tar.gz
tar zxvf trivy_0.49.1_Linux-64bit.tar.gz
sudo mv trivy /usr/local/bin/trivy
rm trivy_0.49.1_Linux-64bit.tar.gz
# Run Trivy scan
trivy image –severity HIGH,CRITICAL –exit-code 1 <YourContainerRegistry>/<YourImageName>:latest
– task: Docker@2
displayName: ‘Push Docker image to Container Registry’
inputs:
command: ‘push’
tags: ‘latest’
repository: ‘<YourContainerRegistry>/<YourImageName>’
((Codeblock end))
Benefits of secure container creation
Integrating Trivy into your CI/CD pipelines provides several benefits:
- Early detection: Identify vulnerabilities in Docker images early in the development process, minimizing the risk of deploying insecure code.
- Automated security checks: Automate security scans within your CI/CD pipeline, reducing the need for manual intervention and ensuring consistent security practices.
- Comprehensive reporting: Trivy provides detailed reports on discovered vulnerabilities, empowering teams to make informed decisions about risk mitigation strategies.
- Improved compliance: Meet compliance requirements by implementing security measures throughout the container lifecycle, from development to deployment.
Conclusion
Securing Docker containers is essential for safeguarding your applications and infrastructure against potential threats. By integrating Trivy into your CI/CD pipeline, you can automate vulnerability scanning and ensure that only secure container images are deployed into production. With proactive security measures in place, you can enhance the resilience of your software systems and maintain the trust of your customers and stakeholders.