2.3. Secure Images

A lot of the container images contain security issues. If you want to use images from public registries you should be able to scan them to verify the image is clean.

There are some tools on the market which can help you to check these images.

In this lab you will learn how to scan an image with the tool Trivy .

Scan image for vulnerabilities and secrets

Trivy is as simple as it sounds! Just point it to your image and it will do the rest.

When Trivy runs for the very first time, it will download the latest vulnerability database from the internet. Without this, Trivy is not able to scan anything.

Scan an image for vulnerabilities:

trivy image example-spring-boot-helloworld:v0.1

Sometimes the trivy API gets overwhelmed with requests and reports an Error, just try again after a minute if that happens. A workaround is to use an image with a db from another registry:

trivy image --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --java-db-repository "ghcr.io/aquasecurity/trivy-java-db:1" example-spring-boot-helloworld:v0.1

As you can see, we obtain the library name, CVE vulnerability number, severity level (HIGH, MEDIUM, LOW), vulnerability status (fixed, not fixed, or will not fix), and if fixed, the version with the fix, along with detailed information about the vulnerability.

With this data, we can upgrade libraries with fixes, assess the risk level of unfixed vulnerabilities, and remove unnecessary vulnerable libraries. Additionally, we have the opportunity to explore alternative libraries that are more secure.

In our case, we might find some vulnerable java libaries which need to be updated in the file build.gradle. If you have some experience with gradle you can try to fix it and build a new image.

Image scanning tools like this are mostly part of a mandatory step in a CI/CD Pipeline before uploading the image to a registry. Generally, CVE’s with a score up to a certain threshold are accepted and the rest are blocked.