Vulnerability Scanning with Clair and Trivy: Ensuring Secure Containers

In today’s digital age, software applications and systems are vulnerable to a wide range of security threats. These threats can compromise sensitive information, cause system downtime, and result in financial losses for businesses. To prevent security breaches, it’s important to use vulnerability test tools that can detect and remediate vulnerabilities before attackers exploit them.

In this blog, we will discuss two popular vulnerability test tools — Clair and Trivy — that are specifically designed to scan container images for security issues. We will explore the key features of these tools, their benefits, and how to use them to ensure secure containers.

By the end of this blog, you will have a better understanding of how Clair and Trivy can help you identify and remediate security vulnerabilities in your container images, and how you can integrate them into your CI/CD pipeline for automated vulnerability scanning.

  1. Clair: Clair is a vulnerability scanner designed to work with container images. It uses a database of known vulnerabilities to scan container images for security issues. Clair is open-source and supports a wide range of container image formats. It can be integrated into your CI/CD pipeline for automated vulnerability scanning.
  2. Trivy: Trivy is another open-source vulnerability scanner designed to work with container images. It uses a database of known vulnerabilities to scan container images for security issues. It is also used to check vulnerabilities in configuration files, Kubernetes cluster, scan your remote repository and more. Trivy supports a wide range of container image formats and can be integrated into your CI/CD pipeline for automated vulnerability scanning. It also provides detailed reports on identified vulnerabilities.

Importance of vulnerability testing

Vulnerability testing is important because it helps organizations identify and fix security weaknesses in their systems and software. By doing so, they can prevent attacks, comply with regulatory requirements, improve their overall security posture, and detect vulnerabilities early. Doing a vulnerability test prior to our release of applications will give us confidence that our application is vulnerable-free and we can get our customer’s trust as well. Ultimately, vulnerability testing is essential for protecting an organization’s sensitive information and reducing the risk of successful attacks.

Benefits of using Clair and Trivy:

  1. Comprehensive scanning: Both tools offer comprehensive scanning capabilities that can detect vulnerabilities in different layers of container images, including operating systems, libraries, and applications.
  2. Easy Integration: Both tools can easily integrate with any CI/CD tools or other DevOps workflows to automate the scanning of images on the fly and do an end-to-end deployment.
  3. Speed and efficiency: Clair and Trivy can scan container images quickly and efficiently, reducing the time and resources required to identify and remediate vulnerabilities.
  4. Open source: Most importantly both tools are open-source tools, which means that organizations can use them for free and benefit from a large community of developers and users who contribute to their ongoing development and improvement.
  5. Customizable scans: Both tools offer customizable scanning options, which means the organization can tailor their vulnerability scans as per their specific use case needs and requirements.

How to use Trivy:

In this blog, I will use RHEL to show trivy usage.

  1. Configure the yum repository to download trivy package.

We can use the below content can be used to configure the yum repo.

# cat /etc/yum.repos.d/trivy.repo
[trivy]
name=Trivy repository
baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/8/$basearch/
gpgcheck=0
enabled=1
####

# yum install trivy -y
Installation command output

If we need to install trivy in another OS, we can refer to the installation guide using the below link: https://aquasecurity.github.io/trivy/v0.37/getting-started/installation/

Let’s have a look at how to check vulnerabilities in an image using trivy.

#we can use below command to check vulnerabilities

[root@test-machine ~]# trivy image docker.io/library/nginx
2023-02-22T20:38:12.426+0530 INFO Vulnerability scanning is enabled
2023-02-22T20:38:12.426+0530 INFO Secret scanning is enabled
2023-02-22T20:38:12.426+0530 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-02-22T20:38:12.426+0530 INFO Please see also https://aquasecurity.github.io/trivy/v0.37/docs/secret/scanning/#recommendation for faster secret detection
2023-02-22T20:38:19.817+0530 INFO JAR files found
2023-02-22T20:38:19.817+0530 INFO Downloading the Java DB...
407.54 MiB / 407.54 MiB [----------------------------------------------------------------------------------------------------] 100.00% 12.29 MiB p/s 33s
2023-02-22T20:38:56.518+0530 INFO The Java DB is cached for 3 days. If you want to update the database more frequently, the '--reset' flag clears the DB cache.
2023-02-22T20:38:56.519+0530 INFO Analyzing JAR files takes a while...
2023-02-22T20:38:56.532+0530 INFO Detected OS: debian
2023-02-22T20:38:56.532+0530 INFO Detecting Debian vulnerabilities...
2023-02-22T20:38:56.564+0530 INFO Number of language-specific files: 0

docker.io/library/nginx (debian 11.6)

Total: 131 (UNKNOWN: 0, LOW: 87, MEDIUM: 24, HIGH: 19, CRITICAL: 1)

┌──────────────────┬──────────────────┬──────────┬─────────────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────────────┼──────────────────┼──────────┼─────────────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ apt │ CVE-2011-3374 │ LOW │ 2.2.4 │ │ It was found that apt-key in apt, all versions, do not │
│ │ │ │ │ │ correctly... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2011-3374 │
├──────────────────┼──────────────────┼──────────┼─────────────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ bash │ CVE-2022-3715 │ HIGH │ 5.1-2+deb11u1 │ │ bash: a heap-buffer-overflow in valid_parameter_transform │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-3715 │
├──────────────────┼──────────────────┼──────────┼─────────────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ bsdutils │ CVE-2022-0563 │ LOW │ 2.36.1-8+deb11u1 │ │ util-linux: partial disclosure of arbitrary files in chfn │
│ │ │ │ │ │ and chsh when compiled... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-0563 │
├──────────────────┼──────────────────┤ ├─────────────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ coreutils │ CVE-2016-2781 │ │ 8.32-4 │ │ coreutils: Non-privileged session can escape to the parent │
│ │ │ │ │ │ session in chroot │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2016-2781 │
│ ├──────────────────┤ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2017-18018 │ │ │ │ coreutils: race condition vulnerability in chown and chgrp │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2017-18018 │
├──────────────────┼──────────────────┼──────────┼─────────────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ curl │ CVE-2022-42916 │ HIGH │ 7.74.0-1.3+deb11u5 │ │ curl: HSTS bypass via IDN │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-42916 │
│ ├──────────────────┤ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-43551 │ │ │ │ curl: HSTS bypass via IDN │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-43551 │
│ ├──────────────────┼──────────┤ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-23916 │ MEDIUM │ │ │ [curl: HTTP multi-header compression denial of service] │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-23916 │
│ ├──────────────────┼──────────┤ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-22922 │ LOW │ │ │ curl: Content not matching hash in Metalink is not being │
│ │ │ │ │ │ discarded │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-22922 │
│ ├──────────────────┤ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-22923 │ │ │ │ curl: Metalink download sends credentials │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-22923 │
│ ├──────────────────┤ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-23914 │ │ │ │ [curl: HSTS ignored on multiple requests] │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-23914 │
│ ├──────────────────┤ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-23915 │ │ │ │ [curl: HSTS amnesia with --parallel] │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-23915 │
├──────────────────┼──────────────────┼──────────┼─────────────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ e2fsprogs │ CVE-2022-1304 │ HIGH │ 1.46.2-2 │ │ e2fsprogs: out-of-bounds read/write via crafted filesystem │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1304 │
├──────────────────┼──────────────────┼──────────┼─────────────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ libapt-pkg6.0 │ CVE-2011-3374 │ LOW │ 2.2.4 │ │ It was found that apt-key in apt, all versions, do not │
│ │ │ │ │ │ correctly... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2011-3374 │
├──────────────────┼──────────────────┤ ├─────────────────────────┼─────────────────┼──────────────────────────────────────────────────────────
├──────────────────┼──────────────────┤ ├─────────────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ util-linux │ CVE-2022-0563 │ │ 2.36.1-8+deb11u1 │ │ util-linux: partial disclosure of arbitrary files in chfn │
│ │ │ │ │ │ and chsh when compiled... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-0563 │
└──────────────────┴──────────────────┴──────────┴─────────────────────────┴─────────────────┴──────────────────────────────────────────────────────

Using the above command will show vulnerabilities and secret scanning if we want to do only vulnerability checks we can use the command:

# trivy image docker.io/library/nginx --scanners vuln
Vulnerability command output

It will only show vulnerabilities, so we can focus on vulnerabilities and resolve the same with the help of the fix mentioned by the tool itself. It will tell the severity and the fixed version in which that vulnerability can be fixed and also provides information about the vulnerability by reference link.

In my upcoming blog, I will explain the usage of Clair and also CI/CD integration of Trivy or Clair using Jenkins.

Comparison of Clair and Trivy:

  • Scanning capabilities: Both can scan for vulnerabilities in container images, but Clair has a larger vulnerability database and can scan for a wider range of vulnerabilities than Trivy.
  • Ease of use: Trivy is known for being simple and easy to use, while Clair is a bit more complex to set up and use.
  • Integration: Both can be integrated into CI/CD pipelines and DevOps workflows, but Trivy has more integrations with other tools and platforms like Kubernetes and Helm.
  • Performance: Trivy is generally faster and more lightweight than Clair, making it a better choice for organizations with large container environments or a need for fast scanning.

But all these things depend upon use cases and which tool is best suited for your requirements.

Let’s have a look at best practices for vulnerability testing

  1. Test regularly: Test for vulnerabilities on a regular basis to ensure new vulnerabilities are quickly identified and fixed, so they will not hamper the actual outcome.
  2. Use multiple tools: Use a variety of vulnerability testing tools and techniques to ensure all potential vulnerabilities are detected, including automated scanning tools and manual testing. Because each tool uses different approaches to check the vulnerability so it will reduce the chances of vulnerability.
  3. Prioritize vulnerabilities: Focus on fixing the most critical or high vulnerabilities first by prioritizing them based on their potential impact.
  4. Test in a safe environment: Conduct vulnerability testing in a safe and controlled environment, such as a testing or staging environment, to avoid exposing vulnerabilities to attackers.
  5. Involve stakeholders: Include relevant stakeholders such as developers and security teams in the vulnerability testing process.

In conclusion, securing container images is critical for maintaining the integrity and security of your applications and systems. With the help of vulnerability test tools like Clair and Trivy, you can scan your container images for security vulnerabilities and remediate them before they are exploited by attackers.

While both tools have their unique features and advantages, they are both powerful and effective at detecting vulnerabilities. By integrating them into your CI/CD pipeline, you can automate the vulnerability scanning process and ensure that your container images are always secure.

We hope that this blog has provided you with a comprehensive understanding of Clair and Trivy vulnerability test tools and how they can help you ensure the security of your container images. If you have any questions or comments, please feel free to leave them in the comments section below.

Kindly refer below link for more information.

Trivy repohttps://github.com/aquasecurity/trivy

Clair repohttps://github.com/quay/clair

Thank you for taking the time to read this blog till the end and learn more about vulnerability testing using tools like Clair and Trivy. I hope that you found this information helpful and that it inspires you to explore the possibilities of automated vulnerability testing. Don’t hesitate to reach out if you have any questions or feedback, and be sure to share your experiences and insights with the community.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top