![](/style/images/good.png)
![](/style/images/bad.png)
Trivy 镜像扫描
source link: http://www.chenshake.com/trivy-mirror-scan/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
对容器镜像的安全扫描,这个话题也越来越多,DevSecOps,也开始受到关注,想验证一下当前的K8s群集里,是否有Log4j的漏洞,应该怎么做呢?现在也不少厂商交流容器安全,先提高一下自己的能力,交流的时候有话题聊。
Trivy是aqua(专注云原生场景下的安全)公司的一款开源工具。
至少目前来看,他可以针对
- 容器的镜像
- 容器的tar包
- k8s和terraform的deployment file 检测
官方提供多种方式安装,
对我来说,就选择rpm包的方式安装,最简单。
wget https://hub.fastgit.org/aquasecurity/trivy/releases/download/v0.21.2/trivy_0.21.2_Linux-64bit.rpm
rpm -ivh trivy_0.21.2_Linux-64bit.rpm
# which trivy
/usr/local/bin/trivy
trivy -v
Version: 0.21.2
用go开发的,就一个执行文件搞定。
安全扫描通常都是需要下载安全漏洞的数据库。trivy的下载数据库比较频繁,而且从github下载,速度很慢。所以需要搞成离线版本。
- https://github.com/aquasecurity/trivy-db/releases
下载 trivy-offline.db.tgz 放到trivy cache目录。默认的cache目录的位置上
# trivy -h
NAME:
trivy - A simple and comprehensive vulnerability scanner for containers
USAGE:
trivy [global options] command [command options] target
VERSION:
0.21.2
COMMANDS:
image, i scan an image
filesystem, fs scan local filesystem for language-specific dependencies and config files
rootfs scan rootfs
repository, repo scan remote repository
client, c client mode
server, s server mode
config, conf scan config files
plugin, p manage plugins
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--quiet, -q suppress progress bar and log output (default: false) [$TRIVY_QUIET]
--debug, -d debug mode (default: false) [$TRIVY_DEBUG]
--cache-dir value cache directory (default: "/root/.cache/trivy") [$TRIVY_CACHE_DIR]
--help, -h show help (default: false)
--version, -v print the version (default: false)
把 trivy-offline.db.tgz 复制到cache目录下解压就可以
cp /root/trivy-offline.db.tgz .cache/trivy/db/
cd .cache/trivy/db/
tar zxvf trivy-offline.db.tgz
# ls
metadata.json trivy.db trivy-offline.db.tgz
rm trivy-offline.db.tgz
这个时候离线的db就准备好了。当扫描镜像的时候,记得加上参数:–skip-update
软件更新很快,参数也变化很大,需要留意版本号,0.22 和 0.21 参数都有差异。
扫描第一个镜像
# trivy image --skip-update alpine:3.15.0
2022-01-05T10:34:24.858+0800 INFO Detected OS: alpine
2022-01-05T10:34:24.858+0800 INFO Detecting Alpine vulnerabilities...
2022-01-05T10:34:24.858+0800 INFO Number of language-specific files: 0
alpine:3.15.0 (alpine 3.15.0)
=============================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
找一个log4j的漏洞的镜像验证一下
docker pull elasticsearch:5.6.13
docker tag elasticsearch:5.6.13 hub.bj.sugon.tech:5000/elasticsearch:5.6.13
docker push hub.bj.sugon.tech:5000/elasticsearch:5.6.13
# trivy image --skip-update --severity CRITICAL hub.bj.sugon.tech:5000/elasticsearch:5.6.13 | grep 'CVE-2021-44228'
| org.apache.logging.log4j:log4j-api | CVE-2021-44228 | | 2.11.1 | 2.15.0 | log4j-core: Remote code execution |
| org.apache.logging.log4j:log4j-core | CVE-2021-44228 | | | 2.15.0 | log4j-core: Remote code execution |
我是把镜像拉回本地,放到仓库来扫描,直接扫描docker hub,速度比较慢。
你可以把当前k8s群集运行的镜像镜像扫描,思路就是先找出来群集的所有镜像,然后进行扫描,看看是否有log4j的漏洞。
- https://medium.com/linkbynet/cve-2021-44228-finding-log4j-vulnerable-k8s-pods-with-bash-trivy-caa10905744d
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK