Skip to main content

TRG 8.04 - Trivy

StatusCreatedPost-History
Active26-Mar-2024Initial release
Draft04-Mar-2024Draft release

Why

Trivy scans our Docker containers to accurately identify and remediate vulnerabilities in OS packages and application dependencies, ensuring our environment remains secure.

Description

Trivy should be used if your project or repository builds containers and publishes them to Docker Hub.

Configure your GitHub Actions to include:

  • workflow_dispatch: Manual workflow execution.
  • schedule: Schedule the workflow to run at least once a week with 0 0 * * 0.

Because Trivy scans the published image on Docker Hub, running it on a schedule suffices, removing the necessity to execute it on every push and pull request. Optionally, the local build in the pipeline run can be scanned, using the push and pull_request triggers for these scans.

In the Trivy workflow, the Docker Hub image scanned must be the currently supported version, not necessarily the latest image.

If multiple Docker images, such as frontend and backend, are published from the repository, configure a scan for each image either by using the matrix option or by duplicating the necessary steps from the example workflow.

Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/error findings as non-exploitable or false positives with required justification in the vulnerability alert.

caution

Address high severity findings; it is recommended to also address medium severity findings.

Due to IP considerations, base images with findings must not be updated arbitrarily, as outlined in TRG4.

You can tailor the failure conditions (exit-code, severity) for high severity issues in the workflow to suit your team's preferences.

Example Trivy workflow:

name: "Trivy"

on:
  schedule:
    - cron: "0 0 * * 0"
  workflow_dispatch:


jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write

    steps:
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@0.18.0
        with:
          image-ref: "tractusx/<your-image>:<version>" # Pull image from Docker Hub and run Trivy vulnerability scanner
          format: "sarif"
          output: "trivy-results.sarif"
          exit-code: "1" # Trivy exits with code 1 if vulnerabilities are found, causing the workflow step to fail.
          severity: "CRITICAL,HIGH" # While vulnerabilities of all severities are reported in the SARIF output, the exit code and workflow failure are triggered only by these specified severities (CRITICAL or HIGH).
          hide-progress: false

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: "trivy-results.sarif"