Trivy Scan for your Google Container Image

Trivy Scan for your Google Container Image

Photo by Venti Views on Unsplash

Setting up our windows WSL Ubuntu machine for the Trivy setup

first, we need the docker to be installed on your machine.

Install the Trivy on Ubuntu Machine (WSL)

sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy

To work with google container registry you need to have default credentials set before you start the scan, how you do it, you need to have service account of the google project which would have right amount of the permissions to get the image from the Google Container Registry (GCR).

export GOOGLE_APPLICATION_CREDENTIALS=//service-acc-key.json

What if you wanted to share the scan report as html page, which would be very much easy to read

trivy image eu.gcr.io/<project_name>/ear-aa-990-daily-full-load-sqlserver-medium --timeout 1000m --format template --template "@html.tpl" -o report.html

Note - you have to download the template html.tpl in the same directory before your the above scan, use this link(github.com/aquasecurity/trivy/blob/main/con..) to download the file.

How to Scan with severity: CRITICAL and HIGH

trivy image --severity CRITICAL,HIGH eu.gcr.io/<project_name>/ear-aa-990-daily-full-load-sqlserver-medium --timeout 1000m

How to scan in debug mode

trivy -d image --severity CRITICAL,HIGH eu.gcr.io/<project_name>/ear-aa-990-daily-full-load-sqlserver-medium --timeout 1000m

Reference articles:

Installation - Trivy (aquasecurity.github.io)