Installing Trivy on Different Operating Systems.

Introduction:

In today’s fast-paced software development landscape, security is paramount. With cyber threats evolving constantly, developers need robust tools to ensure the safety of their applications. One such tool gaining popularity is Trivy, a comprehensive vulnerability scanner for containers and other artifacts. Trivy helps developers detect vulnerabilities in their dependencies early in the development lifecycle, allowing them to address issues before they become security risks.

In this guide, we’ll explore how to install Trivy on various operating systems, empowering developers to enhance the security of their software supply chain.

What is Trivy?

Trivy is an open-source vulnerability scanner designed specifically for containers and other artifacts, such as operating system packages and programming language modules. It leverages vulnerability databases such as the CVE, NVD, and Red Hat’s RHSA to detect security issues in dependencies.

Key Features of Trivy:

1. Extensive Vulnerability Database: Trivy utilizes multiple vulnerability databases to ensure comprehensive coverage of known vulnerabilities.
2. Fast and Lightweight: Trivy is optimized for speed and efficiency, making it suitable for integration into CI/CD pipelines and container orchestration platforms.
3. Simple CLI Interface: Trivy offers a user-friendly command-line interface, making it easy to use for both security professionals and developers.
4. Integration with CI/CD Pipelines: Trivy seamlessly integrates with CI/CD pipelines, enabling automated vulnerability scanning of Docker images as part of the software development lifecycle.

Installation of Trivy:

RHEL/CentOS:

Add repository setting to /etc/yum.repos.d.

$ sudo vim /etc/yum.repos.d/trivy.repo
[trivy]
name=Trivy repository
baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$releasever/$basearch/
gpgcheck=0
enabled=1
$ sudo yum -y update
$ sudo yum -y install trivy

or

rpm -ivh https://github.com/aquasecurity/trivy/releases/download/v0.18.3/trivy_0.18.3_Linux-64bit.rpm

Debian/Ubuntu:

Add repository to /etc/apt/sources.list.d.

sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy

or

wget https://github.com/aquasecurity/trivy/releases/download/v0.18.3/trivy_0.18.3_Linux-64bit.deb
sudo dpkg -i trivy_0.18.3_Linux-64bit.deb

Arch Linux:

Package trivy-bin can be installed from the Arch User Repository. Examples:

pikaur -Sy trivy-bin

or

yay -Sy trivy-bin

Homebrew:

You can use homebrew on macOS and Linux.

brew install aquasecurity/trivy/trivy

Nix/NixOS:

You can use nix on Linux or macOS and on others unofficially.

Note that trivy is currently only in the unstable channels.

nix-env --install trivy

Or through your configuration on NixOS or with home-manager as usual

Install Script:

This script downloads Trivy binary based on your OS and architecture.

curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.18.3

Docker:

Docker Hub

Replace [YOUR_CACHE_DIR] with the cache directory on your machine.

docker pull aquasec/trivy:0.18.3

Example for Linux:

docker run --rm -v [YOUR_CACHE_DIR]:/root/.cache/ aquasec/trivy:0.18.3 [YOUR_IMAGE_NAME]

Example for macOS:

docker run --rm -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:0.18.3 python:3.4-alpine

If you would like to scan the image on your host machine, you need to mount docker.sock.

docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
-v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:0.18.3 python:3.4-alpine

Please re-pull latest aquasec/trivy if an error occurred.

Amazon ECR Public:

The same image is hosted on Amazon ECR Public as well.

docker pull public.ecr.aws/aquasecurity/trivy:0.18.3

GitHub Container Registry:

The same image is hosted on GitHub Container Registry as well.

docker pull ghcr.io/aquasecurity/trivy:0.18.3

Helm:

Installing from the the Aqua Chart Repository.

helm repo add aquasecurity https://aquasecurity.github.io/helm-charts/
helm repo update
helm search repo trivy
helm install my-trivy aquasecurity/trivy

Installing the Chart.

To install the chart with the release name my-release:

helm install my-release .

The command deploys Trivy on the Kubernetes cluster in the default configuration. The Parameters section lists the parameters that can be configured during installation.

Using Trivy:

Once installed, using Trivy is straightforward. Simply navigate to your project directory containing the artifacts you want to scan and run the following command:

trivy image <IMAGE_NAME>

Replace <IMAGE_NAME> with the name of the container image or the path to the artifact you want to scan. Trivy will then analyze the specified artifact and provide a report detailing any vulnerabilities found, including their severity levels and links to additional information.

Conclusion:

Securing your software supply chain is crucial in today’s threat landscape, and tools like Trivy play a vital role in achieving that goal. By detecting vulnerabilities in dependencies early in the development process, developers can mitigate security risks and build more resilient applications.

Installing Trivy on different operating systems is a simple process, enabling developers to incorporate it seamlessly into their workflows regardless of their development environment. By following the steps outlined in this guide, you can enhance the security of your software and protect your organization from potential cyber threats.