{"id":6542,"date":"2024-03-22T14:56:00","date_gmt":"2024-03-22T14:56:00","guid":{"rendered":"https:\/\/beta.bluetab.net\/?p=6542"},"modified":"2026-06-09T19:39:46","modified_gmt":"2026-06-09T18:39:46","slug":"container-vulnerability-scanning-with-trivy","status":"publish","type":"post","link":"https:\/\/beta.bluetab.net\/en\/2024\/03\/container-vulnerability-scanning-with-trivy\/","title":{"rendered":"Container vulnerability scanning with Trivy"},"content":{"rendered":"<h1>Container vulnerability scanning<br \/>with Trivy<\/h1>\n<figure><a href=\"https:\/\/www.linkedin.com\/in\/%C3%A1ngel-maroco-85a0807b\/\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" width=\"150\" height=\"150\" src=\"https:\/\/beta.bluetab.net\/wp-content\/uploads\/2020\/11\/Angel-Maroco-150x150.jpg\" alt=\"\" loading=\"lazy\" \/><\/a><\/figure>\n<h4><a href=\"https:\/\/www.linkedin.com\/in\/%C3%A1ngel-maroco-85a0807b\/\" target=\"_blank\" rel=\"noopener\">\u00c1ngel Maroco<\/a><\/h4>\n<p>AWS Cloud Architect<\/p>\n<p>\t\t\t\t\t\t\t\tShare on twitter<br \/>\n\t\t\t\t\t\t\t\tShare on linkedin<\/p>\n<p>Within the framework of security in container, the build phase is of vital importance as\u00a0we\u00a0need to select the base image on which applications will run. Not having automatic mechanisms for vulnerability scanning can lead to production environments with insecure applications with the risks that involves.<\/p>\n<p>In this article we will cover vulnerability scanning using Aqua Security\u2019s\u00a0<strong>Trivy<\/strong>\u00a0solution, but before we begin, we need to explain what the basis is for these types of solutions for identifying vulnerabilities in Docker images.<\/p>\n<p><strong>Introduction to CVE (Common Vulnerabilities and Exposures)<\/strong><\/p>\n<p>\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"911\" height=\"517\" src=\"https:\/\/beta.bluetab.net\/wp-content\/uploads\/2020\/11\/CVEs-By-Year.png\" alt=\"\" loading=\"lazy\" srcset=\"https:\/\/beta.bluetab.net\/wp-content\/uploads\/2020\/11\/CVEs-By-Year.png 911w, https:\/\/beta.bluetab.net\/wp-content\/uploads\/2020\/11\/CVEs-By-Year-300x170.png 300w, https:\/\/beta.bluetab.net\/wp-content\/uploads\/2020\/11\/CVEs-By-Year-768x436.png 768w\" sizes=\"(max-width: 911px) 100vw, 911px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/p>\n<p><a href=\"\/\/cve.mitre.org\/index.html\">CVE<\/a>\u00a0is a list of information maintained by\u00a0<a href=\"\/\/www.mitre.org\/\">MITRE Corporation<\/a>\u00a0which is aimed at centralising the records of known security vulnerabilities, where each reference has a CVE-ID number, description of the vulnerability, which versions of the software are affected, possible fix for the flaw (if any) or how to configure to mitigate the vulnerability and references to publications or posts in forums or blogs where the vulnerability has been made public or its exploitation is demonstrated.<\/p>\n<p>The CVE-ID provides a standard naming convention for uniquely identifying a vulnerability. They are classified into 5 typologies, which we will look at in the\u00a0<a href=\"\/\/s3-eu-west-1.amazonaws.com\/static.bluetab.net\/An%C3%A1lisis%20de%20vulnerabilidades%20en%20contenedores%20con%20Trivy.md.html#Interpretaci%C3%B3n%20del%20an%C3%A1lisis\">Interpreting the analysis<\/a>\u00a0section.\u00a0These types are assigned based on\u00a0different\u00a0metrics\u00a0(if you are curious, see\u00a0<a href=\"\/\/nvd.nist.gov\/vuln-metrics\/cvss\/v3-calculator\">CVSS Calculator v3<\/a>).<\/p>\n<p>CVE has become the standard for vulnerability recording, so it is used by the great majority of technology companies and individuals.<\/p>\n<p>There are various channels for keeping informed of all the news related to vulnerabilities:\u00a0<a href=\"\/\/cve.mitre.org\/blog\/\">official blog<\/a>,\u00a0<a href=\"\/\/twitter.com\/CVEnew\/\">Twitter<\/a>,\u00a0<a href=\"\/\/github.com\/CVEProject\/cvelist\">cvelist<\/a>\u00a0on GitHub and\u00a0<a href=\"\/\/www.linkedin.com\/showcase\/cve-cwe-capec\/\">LinkedIn<\/a>.<\/p>\n<p>If you want more detailed information\u00a0about\u00a0a vulnerability, you can also consult the NIST website, specifically the\u00a0<a href=\"\/\/nvd.nist.gov\/\">NVD<\/a>\u00a0(National Vulnerability Database).<\/p>\n<p>We invite you to search for one of the following critical vulnerabilities. It is quite possible that they have affected you directly or indirectly. We should forewarn you that they have been among the most discussed\u00a0<img decoding=\"async\" role=\"img\" draggable=\"false\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" alt=\"data-src=\" data-pagespeed-url-hash=\"31059146\" \/><\/p>\n<ul>\n<li>CVE-2017-5753<\/li>\n<li>CVE-2017-5754<\/li>\n<\/ul>\n<p>If you detect a vulnerability, we encourage you to register it using the\u00a0<a href=\"\/\/cveform.mitre.org\/\">form below<\/a>.<\/p>\n<h2>Aqua Security \u2013 Trivy<\/h2>\n<p><strong><a href=\"\/\/github.com\/aquasecurity\/trivy\">Trivy<\/a><\/strong>\u00a0is an\u00a0<em>open source<\/em>\u00a0tool focused on detecting vulnerabilities in OS-level packages and dependency files for various languages:<\/p>\n<ul>\n<li><strong>OS packages<\/strong>: (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)\n<\/li>\n<li><strong>Application dependencies<\/strong>: (Bundler, Composer, Pipenv, Poetry, npm, yarn and Cargo)\n<\/li>\n<\/ul>\n<p><a href=\"\/\/www.aquasec.com\/\">Aqua Security<\/a>, a company specialising in development of security solutions, acquired Trivy in 2019. Together with a substantial number of collaborators, they are responsible for developing and maintaining it.<\/p>\n<h3>Installation<\/h3>\n<p>Trivy has\u00a0<a href=\"\/\/github.com\/aquasecurity\/trivy#installation\">installers<\/a>\u00a0for most Linux and MacOS systems. For our tests, we will use the generic installer:<\/p>\n<pre><code class='language-python'>curl -sfL https:\/\/raw.githubusercontent.com\/aquasecurity\/trivy\/master\/contrib\/install.sh | sudo sh -s -- -b \/usr\/local\/bin <\/code><\/pre>\n<p>If we do not want\u00a0to persist<b style=\"color: #4a4a4a;\">\u00a0<\/b>the binary\u00a0on our system, we have a Docker image:<\/p>\n<pre><code class='language-python'>docker run --rm -v \/var\/run\/docker.sock:\/var\/run\/docker.sock -v \/tmp\/trivycache:\/root\/.cache\/ aquasec\/trivy python:3.4-alpine <\/code><\/pre>\n<h3>Basic operations<\/h3>\n<ul>\n<li><strong>Local images<\/strong><\/li>\n<\/ul>\n<p>Trivy has\u00a0<a href=\"\/\/github.com\/aquasecurity\/trivy#installation\">installers<\/a>\u00a0for most Linux and MacOS systems. For our tests, we will use the generic installer:<\/p>\n<pre><code class='language-python'>#!\/bin\/bash\ndocker build -t cloud-practice\/alpine:latest -<<EOF\nFROM alpine:latest\nRUN echo \"hello world\"\nEOF\ntrivy image cloud-practice\/alpine:latest <\/code><\/pre>\n<ul>\n<li><strong><strong>Remote images<\/strong><\/strong><\/li>\n<\/ul>\n<pre><code class='language-python'>#!\/bin\/bash\ntrivy image python:3.4-alpine <\/code><\/pre>\n<ul>\n<li><strong>Local projects:<\/strong><br \/>Enable you to analyse dependency files (outputs):\n<ul>\n<li><em>Pipfile.lock:<\/em>\u00a0Python<\/li>\n<li><em>package-lock_react.json:<\/em>\u00a0React<\/li>\n<li><em>Gemfile_rails.lock:<\/em>\u00a0Rails<\/li>\n<li><em>Gemfile.lock:<\/em>\u00a0Ruby<\/li>\n<li><em>Dockerfile:<\/em>\u00a0Docker<\/li>\n<li><em>composer_laravel.lock:<\/em>\u00a0PHP Lavarel<\/li>\n<li><em>Cargo.lock:<\/em>\u00a0Rust<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<pre><code class='language-python'>#!\/bin\/bash\ngit clone https:\/\/github.com\/knqyf263\/trivy-ci-test\ntrivy fs trivy-ci-test <\/code><\/pre>\n<ul>\n<li><strong><strong><strong>Public repositories:<\/strong><\/strong><\/strong><\/li>\n<\/ul>\n<pre><code class='language-python'>#!\/bin\/bash\ntrivy repo https:\/\/github.com\/knqyf263\/trivy-ci-test <\/code><\/pre>\n<ul>\n<li><strong>Private image repositories:<\/strong>\n<ul>\n<li><a href=\"\/\/github.com\/aquasecurity\/trivy#amazon-ecr-elastic-container-registry\">Amazon ECR (Elastic Container Registry)<\/a><\/li>\n<li><a href=\"\/\/github.com\/aquasecurity\/trivy#docker-hub\">Docker Hub<\/a><\/li>\n<li><a href=\"\/\/github.com\/aquasecurity\/trivy#gcr-google-container-registry\">GCR (Google Container Registry)<\/a><\/li>\n<li><a href=\"\/\/github.com\/aquasecurity\/trivy#self-hosted-registry-basicauth\">Private repositories with BasicAuth<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li><strong>Cache database<\/strong><br \/>The vulnerability database is hosted on\u00a0<a href=\"\/\/github.com\/aquasecurity\/trivy-db\">GitHub<\/a>. To avoid downloading this database in each analysis operation, you can use the\u00a0<code>--cache-dir <dir><\/code>\u00a0parameter:<\/li>\n<\/ul>\n<pre><code class='language-python'>#!\/bin\/bash trivy &ndash;cache-dir .cache\/trivy image python:3.4-alpine3.9 <\/code><\/pre>\n<ul>\n<li><strong>Filter by severity<\/strong><\/li>\n<\/ul>\n<pre><code class='language-python'>#!\/bin\/bash\ntrivy image --severity HIGH,CRITICAL ruby:2.4.0 <\/code><\/pre>\n<ul>\n<li><strong>Filter unfixed vulnerabilities<\/strong><\/li>\n<\/ul>\n<pre><code class='language-python'>#!\/bin\/bash\ntrivy image --ignore-unfixed ruby:2.4.0 <\/code><\/pre>\n<ul>\n<li><strong><strong>Specify output code<\/strong><\/strong><br \/>This option is very useful in the continuous integration process, as we can specify that your pipeline ends in error when vulnerabilities of the critical type are found, but medium and high types finish properly.<\/li>\n<\/ul>\n<pre><code class='language-python'>#!\/bin\/bash\ntrivy image --exit-code 0 --severity MEDIUM,HIGH ruby:2.4.0\ntrivy image --exit-code 1 --severity CRITICAL ruby:2.4.0 <\/code><\/pre>\n<ul>\n<li><strong><strong><strong>Ignore specific vulnerabilities<\/strong><\/strong><\/strong><br \/>You can specify those CVEs you want to ignore by using the\u00a0<em>.trivyignore<\/em>\u00a0file. This can be useful if the image contains a vulnerability that does not affect your development.<\/li>\n<\/ul>\n<pre><code class='language-python'>#!\/bin\/bash\ncat .trivyignore\n# Accept the risk\nCVE-2018-14618\n# No impact in our settings\nCVE-2019-1543 <\/code><\/pre>\n<ul>\n<li><strong><strong><strong><strong>Export output in JSON format:<\/strong><\/strong><\/strong><\/strong><br \/>This option is useful if you want to automate a process before an output, display the results in a custom front end, or persist the output in a structured format.<\/li>\n<\/ul>\n<pre><code class='language-python'>#!\/bin\/bash\ntrivy image -f json -o results.json golang:1.12-alpine\ncat results.json | jq <\/code><\/pre>\n<ul>\n<li><strong><strong><strong><strong><strong>Export output in SARIF format:<\/strong><\/strong><\/strong><\/strong><\/strong><br \/>There is a standard called SARIF (Static Analysis Results Interchange Format) that defines the format for outputs that any vulnerability analysis tool should have.<\/li>\n<\/ul>\n<pre><code class='language-python'>#!\/bin\/bash\nwget https:\/\/raw.githubusercontent.com\/aquasecurity\/trivy\/master\/contrib\/sarif.tpl\ntrivy image --format template --template \"@sarif.tpl\" -o report-golang.sarif  golang:1.12-alpine\ncat report-golang.sarif   <\/code><\/pre>\n<p>VS Code has the\u00a0<a href=\"\/\/marketplace.visualstudio.com\/items?itemName=MS-SarifVSCode.sarif-viewer\">sarif-viewer<\/a>\u00a0extension for viewing vulnerabilities.<\/p>\n<h3>Continuous integration processes<\/h3>\n<p>Trivy has templates for the leading CI\/CD solutions:<\/p>\n<ul>\n<li><a href=\"\/\/github.com\/aquasecurity\/trivy#github-actions\">GitHub Actions<\/a><\/li>\n<li><a href=\"\/\/github.com\/aquasecurity\/trivy#travis-ci\">Travis CI<\/a><\/li>\n<li><a href=\"\/\/github.com\/aquasecurity\/trivy#circleci\">CircleCI<\/a><\/li>\n<li><a href=\"\/\/github.com\/aquasecurity\/trivy#gitlab-ci\">GitLab CI<\/a><\/li>\n<li><a href=\"\/\/github.com\/aquasecurity\/trivy#aws-codepipeline\">AWS CodePipeline<\/a><\/li>\n<\/ul>\n<pre><code class='language-python'>#!\/bin\/bash\n$ cat .gitlab-ci.yml\nstages:\n  - test\ntrivy:\n  stage: test\n  image: docker:stable-git\n  before_script:\n    - docker build -t trivy-ci-test:${CI_COMMIT_REF_NAME} .\n    - export VERSION=$(curl --silent \"https:\/\/api.github.com\/repos\/aquasecurity\/trivy\/releases\/latest\" | grep '\"tag_name\":' | sed -E 's\/.*\"v([^\"]+)\".*\/1\/')\n    - wget https:\/\/github.com\/aquasecurity\/trivy\/releases\/download\/v${VERSION}\/trivy_${VERSION}_Linux-64bit.tar.gz\n    - tar zxvf trivy_${VERSION}_Linux-64bit.tar.gz\n  variables:\n    DOCKER_DRIVER: overlay2\n  allow_failure: true\n  services:\n    - docker:stable-dind\n  script:\n    - .\/trivy --exit-code 0 --severity HIGH --no-progress --auto-refresh trivy-ci-test:${CI_COMMIT_REF_NAME}\n    - .\/trivy --exit-code 1 --severity CRITICAL --no-progress --auto-refresh trivy-ci-test:${CI_COMMIT_REF_NAME} <\/code><\/pre>\n<h3>Interpreting the analysis<\/h3>\n<pre><code class='language-python'>#!\/bin\/bash\ntrivy image httpd:2.2-alpine\n2020-10-24T09:46:43.186+0200    INFO    Need to update DB\n2020-10-24T09:46:43.186+0200    INFO    Downloading DB...\n18.63 MiB \/ 18.63 MiB [---------------------------------------------------------] 100.00% 8.78 MiB p\/s 3s\n2020-10-24T09:47:08.571+0200    INFO    Detecting Alpine vulnerabilities...\n2020-10-24T09:47:08.573+0200    WARN    This OS version is no longer supported by the distribution: alpine 3.4.6\n2020-10-24T09:47:08.573+0200    WARN    The vulnerability detection may be insufficient because security updates are not provided\nhttpd:2.2-alpine (alpine 3.4.6)\n===============================\nTotal: 32 (UNKNOWN: 0, LOW: 0, MEDIUM: 15, HIGH: 14, CRITICAL: 3)\n+-----------------------+------------------+----------+-------------------+------------------+--------------------------------+\n|        LIBRARY        | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |  FIXED VERSION   |             TITLE              |\n+-----------------------+------------------+----------+-------------------+------------------+--------------------------------+\n| libcrypto1.0          | CVE-2018-0732    | HIGH     | 1.0.2n-r0         | 1.0.2o-r1        | openssl: Malicious server can  |\n|                       |                  |          |                   |                  | send large prime to client     |\n|                       |                  |          |                   |                  | during DH(E) TLS...            |\n+-----------------------+------------------+----------+-------------------+------------------+--------------------------------+\n| postgresql-dev        | CVE-2018-1115    | CRITICAL | 9.5.10-r0         | 9.5.13-r0        | postgresql: Too-permissive     |\n|                       |                  |          |                   |                  | access control list on         |\n|                       |                  |          |                   |                  | function pg_logfile_rotate()   |\n+-----------------------+------------------+----------+-------------------+------------------+--------------------------------+\n| libssh2-1             | CVE-2019-17498   | LOW      | 1.8.0-2.1         |                  | libssh2: integer overflow in   |\n|                       |                  |          |                   |                  | SSH_MSG_DISCONNECT logic in    |\n|                       |                  |          |                   |                  | packet.c                       |\n+-----------------------+------------------+----------+-------------------+------------------+--------------------------------+ <\/code><\/pre>\n<ul>\n<li><strong>Library<\/strong>: the library\/package identifying the vulnerability.\n<\/li>\n<li><strong>Vulnerability ID<\/strong>: vulnerability identifier (according to CVE standard).\n<\/li>\n<li><strong>Severity<\/strong>: there is a classification with 5 typologies\u00a0<a href=\"\/\/access.redhat.com\/es\/security\/updates\/classification\">[source]<\/a>\u00a0which are assigned a CVSS (Common Vulnerability Scoring System) score:\n<ul>\n<li><strong>Critical (CVSS Score 9.0-10.0)<\/strong>: flaws that could be easily exploited by a remote unauthenticated attacker and lead to system compromise (arbitrary code execution) without requiring user interaction.\n<\/li>\n<li><strong>High (CVSS score 7.0-8.9)<\/strong>: flaws that can easily compromise the confidentiality, integrity or availability of resources.\n<\/li>\n<li><strong>Medium (CVSS score 4.0-6.9)<\/strong>: flaws that may be more difficult to exploit but could still lead to some compromise of the confidentiality, integrity or availability of resources under certain circumstances.\n<\/li>\n<li><strong>Low (CVSS score 0.1-3.9)<\/strong>: all other issues that may have a security impact. These are the types of vulnerabilities that are believed to require unlikely circumstances to be able to be exploited, or which would give minimal consequences.\n<\/li>\n<li><strong>Unknown (CVSS score 0.0)<\/strong>: allocated to vulnerabilities with no assigned score.\n<\/li>\n<\/ul>\n<\/li>\n<li><strong>Installed version<\/strong>: the version installed in the system analysed.\n<\/li>\n<li><strong>Fixed version<\/strong>: the version in which the issue is fixed. If the version is not reported, this means the fix is pending.\n<\/li>\n<li><strong>Title<\/strong>: A short description of the vulnerability. For further information, see the\u00a0<a href=\"\/\/nvd.nist.gov\/\">NVD<\/a>.\n<\/li>\n<\/ul>\n<p>Now you know how to interpret at the analysis information at a high level. So, what actions should you take? We give you some pointers in the\u00a0<a href=\"\/\/s3-eu-west-1.amazonaws.com\/static.bluetab.net\/An%C3%A1lisis%20de%20vulnerabilidades%20en%20contenedores%20con%20Trivy.md.html#Recomendaciones\">Recommendations<\/a>\u00a0section.<\/p>\n<h3>Recommendations<\/h3>\n<ul>\n<li>\n<p>This section describes some of\u00a0the most important aspects\u00a0within the scope of\u00a0vulnerabilities in containers:<\/p>\n<ul>\n<li><strong>Avoid (wherever possible) using images in which\u00a0<em>critical<\/em>\u00a0and\u00a0<em>high\u00a0severity vulnerabilities have been identified. <\/em><\/strong><\/li>\n<li><strong>Include image analysis in CI processes<\/strong><br \/>Security in development is not optional; automate your testing and do not rely on manual processes.<\/li>\n<li><strong>Use lightweight images, fewer exposures<\/strong>:<br \/>Images of the\u00a0<a href=\"\/\/hub.docker.com\/_\/alpine\">Alpine<\/a>\u00a0\/\u00a0<a href=\"\/\/hub.docker.com\/_\/busybox\">BusyBox<\/a>\u00a0type are built with as few packages as possible (the base image is 5\u00a0MB), resulting in reduced attack vectors. They support multiple architectures and are updated quite frequently.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<pre><code class='language-python'>REPOSITORY  TAG     IMAGE ID      CREATED      SIZE\nalpine      latest  961769676411  4 weeks ago  5.58MB\nubuntu      latest  2ca708c1c9cc  2 days ago   64.2MB\ndebian      latest  c2c03a296d23  9 days ago   114MB\ncentos      latest  67fa590cfc1c  4 weeks ago  202MB <\/code><\/pre>\n<p>If for a dependencies reason, you cannot customise an Alpine base image, look for slim-type images from trusted software vendors. Apart from the security component, people who share a network with you will appreciate not having to download 1&nbsp;GB images.<\/p>\n<ul>\n<li><strong>Get images from official repositories<\/strong>: Using\u00a0<a href=\"\/\/hub.docker.com\/\">DockerHub<\/a>\u00a0is recommended, and preferably images from official publishers.\u00a0<a href=\"\/\/blog.banyansecurity.io\/blog\/over-30-of-official-images-in-docker-hub-contain-high-priority-security-vulnerabilities\">DockerHub and CVEs<\/a>\n<\/li>\n<li><strong>Keep images up to date<\/strong>: the following example shows an analysis of two different Apache versions:\n<p><strong>Image published in 11\/2018<\/strong><\/p>\n<\/li>\n<\/ul>\n<pre><code class='language-python'>httpd:2.2-alpine (alpine 3.4.6)\n Total: 32 (UNKNOWN: 0, LOW: 0, MEDIUM: 15, **HIGH: 14, CRITICAL: 3**) <\/code><\/pre>\n<p><strong>Image published in 01\/2020<\/strong><\/p>\n<pre><code class='language-python'>httpd:alpine (alpine 3.12.1)\n Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, **HIGH: 0, CRITICAL: 0**) <\/code><\/pre>\n<p>As you can see, if a development was completed in 2018 and no maintenance was performed, you could be exposing a relatively vulnerable Apache. This is not an issue resulting from the use of containers. However, because of the versatility Docker provides for testing new product versions, we now have no excuse.<\/p>\n<ul>\n<li><strong>Pay special attention to vulnerabilities affecting the application layer:<\/strong><br \/>According to the\u00a0<a href=\"\/\/www.edgescan.com\/wp-content\/uploads\/2019\/02\/edgescan-Vulnerability-Stats-Report-2019.pdf\">study<\/a>\u00a0conducted by the company edgescan, 19% of vulnerabilities detected in 2018 were associated with Layer 7 (OSI Model), with XSS (<em>Cross-site Scripting<\/em>) type attacks standing out above all.\n<\/li>\n<li><strong>Select latest images with special care:<\/strong><br \/>Although this advice is closely related to the use of lightweight images, we consider it worth inserting a note on\u00a0<em>latest<\/em>\u00a0images:<\/li>\n<\/ul>\n<p><strong>Latest Apache image (Alpine base 3.12)<\/strong><\/p>\n<pre><code class='language-python'>httpd:alpine (alpine 3.12.1)\n Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) <\/code><\/pre>\n<p><strong>Latest Apache image (Debian base 10.6)<\/strong><\/p>\n<pre><code class='language-python'>httpd:latest (debian 10.6)\n Total: 119 (UNKNOWN: 0, LOW: 87, MEDIUM: 10, HIGH: 22, CRITICAL: 0) <\/code><\/pre>\n<p>We are using the same version of Apache (2.4.46) in both cases, the difference is in the number of critical vulnerabilities.<br \/>Does this mean that the Debian base 10 image makes the application running on that system vulnerable? It may or may not be. You need to assess whether the vulnerabilities could compromise your application. The recommendation is to use the Alpine image.<\/p>\n<ul>\n<li><strong>Evaluate the use of Docker\u00a0<em>distroless<\/em>\u00a0images<\/strong><br \/>The\u00a0<a href=\"\/\/github.com\/GoogleContainerTools\/distroless\">distroless<\/a>\u00a0concept is from Google and consists of Docker images based on Debian9\/Debian10, without package managers, shells or utilities. The images are focused on programming languages (Java, Python, Golang, Node.js, dotnet and Rust), containing only what is required to run the applications. As they do not have package managers, you cannot install your own dependencies, which can be a big advantage or in other cases a big obstacle. Do testing and if it fits your project requirements, go ahead; it is always useful to have alternatives. Maintenance is Google\u2019s responsibility, so the security aspect will be well-defined.<\/li>\n<\/ul>\n<h3>Container vulnerability scanner ecosystem<\/h3>\n<p>\t\tIn our case we have used Trivy as it is a reliable, stable,\u00a0<em>open source<\/em>\u00a0tool that is being developed continually, but there are numerous tools for container analysis:<\/p>\n<ul>\n<li><a href=\"\/\/coreos.com\/clair\/docs\/latest\/\">Clair<\/a><\/li>\n<li><a href=\"\/\">Snyk<\/a><\/li>\n<li><a href=\"\/\/anchore.io\/\">Anchore Cloud<\/a><\/li>\n<li><a href=\"\/\/github.com\/docker\/docker-bench-security\">Docker Bench<\/a><\/li>\n<li><a href=\"\/\/docs.docker.com\/engine\/scan\/\">Docker Scan<\/a><\/li>\n<\/ul>\n<h5>Do you want to know more about what we offer and to see other success stories?<\/h5>\n<p>\t\t\t<a href=\"\/\" role=\"button\"><br \/>\n\t\t\t\t\t\tDISCOVER BLUETAB<br \/>\n\t\t\t\t\t<\/a><br \/>\n\t\t\t\t\t\t\t\tShare on twitter<br \/>\n\t\t\t\t\t\t\t\tShare on linkedin<\/p>\n<figure><a href=\"https:\/\/www.linkedin.com\/in\/elipajares\/\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" width=\"150\" height=\"150\" src=\"https:\/\/beta.bluetab.net\/wp-content\/uploads\/2020\/11\/Angel-Maroco-150x150.jpg\" alt=\"\" loading=\"lazy\" \/><\/a><\/figure>\n<p>\t\t\t\u00c1ngel Maroco<br \/>\n\t\t\tAWS Cloud Architect\t\t<\/p>\n<p>My name is\u00a0<strong><a href=\"\/\/www.linkedin.com\/in\/%C3%A1ngel-maroco-85a0807b\/\">\u00c1ngel Maroco<\/a><\/strong>\u00a0and I have been working in the IT sector for over a decade. I started my career in web development and then moved on for a significant period to IT platforms in banking environments and have been working on designing solutions in AWS environments for the last 5 years.<\/p>\n<p>I now combine my role as an architect with being head of \/bluetab\u00a0<a href=\"\/\/www.linkedin.com\/feed\/hashtag\/?keywords=cloudpractice\">Cloud Practice<\/a>, with the mission of fostering Cloud culture within the company.<\/p>\n<p><b>SOLUTIONS<\/b>, WE ARE EXPERTS<\/p>\n<p>\t\t\t\t\t<a href=\"\/soluciones\/data-strategy\/\"><\/p>\n<h5>\n\t\t\t\t\t\tDATA STRATEGY\t\t\t\t\t<\/h5>\n<p>\t\t\t\t\t\t<\/a><br \/>\n\t\t\t\t\t<a href=\"\/soluciones\/data-fabric\/\"><\/p>\n<h5>\n\t\t\t\t\t\tDATA FABRIC\t\t\t\t\t<\/h5>\n<p>\t\t\t\t\t\t<\/a><br \/>\n\t\t\t\t\t<a href=\"\/soluciones\/augmented-analytics\/\"><\/p>\n<h5>\n\t\t\t\t\t\tAUGMENTED ANALYTICS\t\t\t\t\t<\/h5>\n<p>\t\t\t\t\t\t<\/a><\/p>\n<p>You may be interested in<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Container vulnerability scanningwith Trivy \u00c1ngel Maroco AWS Cloud Architect Share on twitter Share on linkedin Within the framework of security in container, the build phase is of vital importance as\u00a0we\u00a0need to select the base image on which applications will run. Not having automatic mechanisms for vulnerability scanning can lead to production environments with insecure applications [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":20775,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[7,29,30],"tags":[],"class_list":["post-6542","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-es","category-practices-en","category-tech-en"],"acf":[],"jetpack_featured_media_url":"https:\/\/beta.bluetab.net\/wp-content\/uploads\/2020\/11\/enlaces-linkedin-1.png","_links":{"self":[{"href":"https:\/\/beta.bluetab.net\/en\/wp-json\/wp\/v2\/posts\/6542","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/beta.bluetab.net\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/beta.bluetab.net\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/beta.bluetab.net\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/beta.bluetab.net\/en\/wp-json\/wp\/v2\/comments?post=6542"}],"version-history":[{"count":1,"href":"https:\/\/beta.bluetab.net\/en\/wp-json\/wp\/v2\/posts\/6542\/revisions"}],"predecessor-version":[{"id":20863,"href":"https:\/\/beta.bluetab.net\/en\/wp-json\/wp\/v2\/posts\/6542\/revisions\/20863"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/beta.bluetab.net\/en\/wp-json\/wp\/v2\/media\/20775"}],"wp:attachment":[{"href":"https:\/\/beta.bluetab.net\/en\/wp-json\/wp\/v2\/media?parent=6542"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/beta.bluetab.net\/en\/wp-json\/wp\/v2\/categories?post=6542"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/beta.bluetab.net\/en\/wp-json\/wp\/v2\/tags?post=6542"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}