Docker Scan (Trivy)
Importing Trivy container image scan results to FutureVuls
aquasecurity/trivy is an OSS tool to detect vulnerabilities in Docker images. FutureVuls can import Trivy scan results, allowing you to manage container image vulnerabilities on FutureVuls.
For details on the supported languages and package ecosystems, refer to Trivy Supported OS.
There is also a method of scanning container images on a container registry by integrating with Amazon ECR or Google Artifact Registry. Refer to Scanning Vulnerabilities in Docker Images on Container Registries for more information.
However, as of July 2022, Trivy has higher vulnerability detection accuracy and can scan libraries in images. Therefore, we recommend using this method with Trivy.
You can use Trivy container image scanning in two ways:
Installing Trivy in your local environment and scanning images
Install Trivy in your local environment and upload the results of scanning container images to FutureVuls. You can choose between two installation modes: normal and lightweight. The differences are as follows:
| Item | Description | Normal | Lightweight |
|---|---|---|---|
| Root permission | Whether root permission is required at installation | Required | Not required |
| Supported environments | Local environments that can be set up | Reference | Linux in general |
| Regular scans | Whether to scan images automatically on a regular basis | Supported | Not supported |
In the lightweight version, root permission is not required, but you need to manually scan container images periodically. To keep vulnerability information up to date by constantly synchronizing container image configuration with FutureVuls, we recommend using the normal version of the scan whenever possible.
Scanning a new container image
To scan a new container image and register it with FutureVuls, follow these steps:
- Open the dialog by selecting
Add Serveron the Server tab and selectingScan Container Images.
- Select the scan token and enter the image name of the target container image.
- Specify in the
<image name>:<tag>format. - If you always want to scan the latest version of the image, specify
<image name>:<latest>.
- Specify in the
- If you are in a proxy environment, enter the proxy server to be used.
- If you want to use the lightweight version, check the switch bar.
- Copy and paste the command displayed at the bottom of the screen, and execute it in the local environment that manages the target image.
- For the normal version, execute with root privileges.
- For the normal version, execute with root privileges.
- Check that the scanned image has been added to the server tab of the target group in FutureVuls.
- For the normal version, it takes about 5-10 minutes for the changes to be reflected in FutureVuls.
- If you want to scan immediately after installation, execute the following command:
/opt/vuls-trivy-saas/vuls-trivy-saas.sh &> /opt/vuls-trivy-saas/vuls-trivy.log
- If you want to scan immediately after installation, execute the following command:
- For the normal version, it takes about 5-10 minutes for the changes to be reflected in FutureVuls.
Registration is complete. For the normal version, the scanner will automatically start once a day to scan the target container images and reflect them in FutureVuls.
For the normal version, you can also use several scan options.
If the scan results are not reflected, refer to here.
Update registered container image information
Update vulnerability information based on the registered configuration information
If you want to update vulnerability information based on the registered configuration information of a container image that is already registered in FutureVuls, manually run the scan from FutureVuls.
Reflect changes in container image configuration information in FutureVuls
If there are any changes to the container image configuration information registered in FutureVuls, follow these steps to reflect them in FutureVuls.
- For the normal version:
- Since the scanner starts once a day to scan the image, there is no need for any additional operation.
- If you want to start the scanner immediately, execute the following command with
rootorvuls-trivy-saasuser:/opt/vuls-trivy-saas/vuls-trivy-saas.sh &> /opt/vuls-trivy-saas/vuls-trivy.log
- For the lightweight version:
- Click the target container image in the server tab to open the server details page.
- Click the
Update Configuration Informationbutton to open the dialog.
- Select the scanner token and enter the image name of the target container image.
- If you are in a proxy environment, enter the proxy server to be passed through.
- Copy the command displayed at the bottom of the screen and paste it into the local environment managing the target image to execute.
Integration with CI/CD pipeline
Integrate Trivy into your CI/CD pipeline and upload the scan results of container images to FutureVuls. This document provides an example using GitHub Actions. The sample YAML file for GitHub Actions is as follows.
- Environment variables used in the sample
| Variable | Description | Required |
|---|---|---|
| VULS_SAAS_GROUPID | ID of the group to upload scan results to | ✅ |
| VULS_SAAS_TOKEN | Token with scan permissions | ✅ |
| DOCKERFILE_PATH | Path to the Dockerfile that generates the image | ✅ |
| TARGET_IMAGE | Image to scanSpecify in the format of <image name>:<tag> |
✅ |
| VULS_SAAS_UUID | UUID of the target imageSpecify a value generated with the uuidgen command or similar for new registrationsIf you specify the UUID of a registered server that manages the same image on FutureVuls, it will be an update process. |
✅ |
- If you want to update the configuration information of an image that is already managed on FutureVuls, specify the UUID of the target image as
VULS_SAAS_UUID.
We recommend setting the following environment variables using encrypted secrets.
- VULS_SAAS_GROUPID
- VULS_SAAS_TOKEN
With this information, it is possible to upload scan results of any server to the specified group on FutureVuls.
Download the scan script
In this example, a script file for scanning is used to perform the scan.
name: FutureVuls Docker Image Scan
on:
push
defaults:
run:
shell: bash
jobs:
docker-test:
name: FutureVuls Docker Image Scan
env:
VULS_SAAS_GROUPID: ${{ secrets.VULS_SAAS_GROUPID }}
VULS_SAAS_TOKEN: ${{ secrets.VULS_SAAS_TOKEN }}
DOCKERFILE_PATH: "docker/anything/Dockerfile"
TARGET_IMAGE: "imageName:tag"
VULS_SAAS_UUID: "xxxxxxxx"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: cached scan db
uses: actions/cache@v3
with:
path: vulndb/
key: trivy-vulndb
- name: scan and upload
env:
run: |
docker build . -f ${env.DOCKERFILE_PATH} -t ${env.TARGET_IMAGE}
curl -s https://installer.vuls.biz/vuls-trivy-light.sh | \
VULS_SAAS_GROUPID="${env.VULS_SAAS_GROUPID}" \
VULS_SAAS_TOKEN="${env.VULS_SAAS_TOKEN}" \
TARGET_IMAGE="${env.TARGET_IMAGE}" \
VULS_SAAS_UUID="${env.VULS_SAAS_UUID}" \
bash -s inst
Using Docker image
In this example, scanning is performed using a Docker image for scanning.
name: FutureVuls Docker Image Scan
on:
push
defaults:
run:
shell: bash
jobs:
container-scan:
name: FutureVuls Docker Image Scan
env:
VULS_SAAS_GROUPID: xxx
VULS_SAAS_TOKEN: xxxxxxxxx
FVULS_AUTH_URL: "https://auth.vuls.biz/one-time-auth"
DOCKERFILE_PATH: "path/to/dockerfile"
TARGET_IMAGE: "image-name"
VULS_SAAS_UUID: xxxxxxxxx
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: cached scan db
uses: actions/cache@v3
with:
path: vulndb/
key: trivy-vulndb
- name: Build dockerfile
run: docker build . -f ${{ env.DOCKERFILE_PATH }} -t ${{ env.TARGET_IMAGE }}
- name: Scan the image and upload to FutureVuls
uses: docker://vuls/fvuls
with:
entrypoint: '/bin/sh'
args: |-
-c "\
set -eo pipefail
trivy -q --cache-dir vulndb/ image -f json --list-all-pkgs ${{ env.TARGET_IMAGE }} | \
trivy-to-vuls parse --stdin | \
future-vuls upload --stdin --group-id ${{ env.VULS_SAAS_GROUPID }} --token ${{ env.VULS_SAAS_TOKEN }} --uuid ${{ env.VULS_SAAS_UUID }} \
"
When Scanning Fails
Refer to the FAQ