TRG 8.04 - Trivy
Status | Created | Post-History |
---|---|---|
Update | 26-Jun-2024 | Workflow update |
Active | 26-Mar-2024 | Initial release |
Draft | 04-Mar-2024 | Draft release |
Why
Trivy scans our Docker containers to accurately identify and remediate vulnerabilities in OS packages and application dependencies, ensuring our environment remains secure.
Description
Trivy should be used if your project or repository builds containers and publishes them to Docker Hub.
Configure your GitHub Actions to include:
workflow_dispatch
: Manual workflow execution.schedule
: Schedule the workflow to run at least once a week with0 0 * * 0
.
Because Trivy scans the published image on Docker Hub, running it on a schedule
suffices, removing the necessity to execute it on every push and pull request. Optionally, the local build in the pipeline run can be scanned, using the push
and pull_request
triggers for these scans.
In the Trivy workflow, the Docker Hub image scanned must be the currently supported version, not necessarily the latest
image.
If multiple Docker images, such as frontend and backend, are published from the repository, configure a scan for each image either by using the matrix
option or by duplicating the necessary steps from the example workflow.
Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/error findings as non-exploitable or false positives with required justification in the vulnerability alert.
Address high severity findings; it is recommended to also address medium severity findings.
Due to IP considerations, base images with findings must not be updated arbitrarily, as outlined in TRG4.
You can tailor the failure conditions (exit-code
, severity
) for high severity issues in the workflow to suit your team's preferences.
Example Trivy workflow:
name: "Trivy"
on:
schedule:
- cron: "0 0 * * 0"
workflow_dispatch:
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.18.0
with:
image-ref: "tractusx/<your-image>:<version>" # Pull image from Docker Hub and run Trivy vulnerability scanner
format: "sarif"
output: "trivy-results.sarif"
severity: "CRITICAL,HIGH" # While vulnerabilities of all severities are reported in the SARIF output, the exit code and workflow failure are triggered only by these specified severities (CRITICAL or HIGH).
hide-progress: false
exit-code: "1" # Trivy exits with code 1 if vulnerabilities are found, causing the workflow step to fail.
limit-severities-for-sarif: true
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: "trivy-results.sarif"