Trivy is an open source container scanning tool that's used to identify container vulnerabilities. It is one of the simplest and most accurate scanning tools in the market. In this recipe, we will learn how to install and scan container images using Trivy.

Let's perform the following steps to run Trivy:

1. Get the latest Trivy release number and keep it in a variable:

$ VERSION=$(curl --silent "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | 
grep '"tag_name":' | 
sed -E 's/.*"v([^"]+)".*/1/')

Download and install the trivy command-line interface:

$ curl --silent --location "https://github.com/aquasecurity/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz" | tar xz -C /tmp
$ sudo mv /trivy /usr/local/bin

3. Verify that trivy is functional by running the following command. It will return its current version:

$ trivy --version
trivy version 0.1.7

4. Execute trivy checks by replacing the container image name with your target image. In our example, we scanned the postgres:12.0 image from the Docker Hub repository:

$ trivy postgres:12.0
2019-11-12T04:08:02.013Z INFO Updating vulnerability database...
2019-11-12T04:08:07.088Z INFO Detecting Debian vulnerabilities...

postgres:12.0 (debian 10.1)
===========================
Total: 164 (UNKNOWN: 1, LOW: 26, MEDIUM: 122, HIGH: 14, CRITICAL: 1)
...

5. The test summary will show the number of vulnerabilities that have been detected and will include a detailed list of vulnerabilities, along with their IDs and an explanation of each of them:

+-----------+---------------+----------+----------+-----------+------+
| LIBRARY   | V ID          | SEVERITY | INST VER | FIXED VER | TITLE|
+-----------+------------------+-------+----------+-----------+------+
| apt       | CVE-2011-3374 | LOW      | 1.8.2    |           |      |
+-----------+---------------+          +----------+-----------+------+
| bash      | TEMP-0841856  |          | 5.0-4    |           |      |
+-----------+---------------+          +----------+-----------+------+
| coreutils | CVE-2016-2781 |          | 8.30-3   |           |      |
+           +---------------+          +          +-----------+------+
|           | CVE-2017-18018|          |          |           |      |
+-----------+---------------+----------+----------+-----------+------+
| file      | CVE-2019-18218| HIGH     | 1:5.35-4 | 1:5.35-4+d| file:|
...

With that, you've learned how to quickly scan your container images. Trivy supports a variety of container base images (CentOS, Ubuntu, Alpine, Distorless, and so on) and natively supports container registries such as Docker Hub, Amazon ECR, and Google Container Registry GCR. Trivy is completely suitable for CI. In the next two recipes, you will learn how you can add Trivy into CI pipelines.