Blog

Adding Trivy to Harbor

By Jay

Jan 22, 2024 | 4 minutes read

Series: Docker

Tags: blog, tech, docker

In the last post, we installed Harbor and discussed some of the features that it provides. In this post, we will be adding Trivy to Harbor to provide vulnerability scanning for our container images.

Trivy is an open-source tool for scanning vulnerabilities in container images, file systems, and Git repositories. It’s known for its simplicity and ease of use, and it’s widely used in the world of container security. Developed by Aqua Security, Trivy is designed to detect vulnerabilities in operating system packages (like Alpine, RHEL, Debian) and application dependencies (like RubyGems, npm, and Pipenv).

Key features of Trivy include:

  1. Comprehensive Vulnerability Detection: Trivy scans for vulnerabilities in OS packages as well as in application dependencies, providing a thorough analysis of potential security issues.

  2. Simple and Easy to Use: It requires minimal configuration and can be easily integrated into CI/CD pipelines for automated scanning.

  3. High Accuracy: Trivy maintains a comprehensive database of vulnerabilities, which it updates regularly, ensuring high accuracy in detection.

  4. Fast Scanning: It’s designed to perform scans quickly, minimizing the impact on development workflows.

  5. Integration with CI/CD Pipelines: Trivy can be integrated with continuous integration and deployment processes, making it easy to include security checks in the software development lifecycle.

  6. Support for Multiple Targets: Besides container images, Trivy can scan file systems and Git repositories, making it a versatile tool for different types of security checks.

When installing Harbor it is very easy to enable Trivy as your vulnerability scanner:

$ ./install.sh --with-trivy 

Trivy is run as it’s own process that exposes an endpoint for communication and control. After you log into Harbor, you can check to see if the integration is up and running:

Configure

We now want to configure Trivy for our repositories. To start, we need to select a registry. ConfigureTwo

Settings

You can also check the current version of the database being used as well as get a high level of the state of your images in terms of CVE exposure:

Version

Note this also allows you to set a scanning schedule.

Now we can look at images; the popup in the lower right appears when you are hovering over an image. Repos that are not being scanned are marked as such, and you can start a scan from this interface. All other pre-scanned images show the current vulneratilites found, along with those that are currently fixable.

Images

You can drill down to the image and look at the individual CVEs; the disclosure triangle to the left provides more information on the CVE and allows you to follow a link back to Trivy website for details.

VulnDetails

You can adjust the way Trivy operates from the configuration page for the repository. Key things that can be configured here:

  • Tell Trivy to scan all images on push.
  • Create a CVE Allowlist for CVEs that you want to be ignored.
    • You can also set a list at the System Level

Rules

  • Harbor will use cosign/notary to sign images for you (if configured)
  • Trivy can be used outside of the context of Harbor or futher tuned if needed.
  • Pluggable architecture - additional components can be added.

This page allows you to configure a compatable scanner to Harbor:

Scanner

When securing your supply chain, it is important to remember that security is a process, not a product. Harbor and Trivy are tools that can help you secure your container images, but they are not a silver bullet. I prefer to leverage a technique called the “swiss cheese approach” where you have multiple layers of security that have holes in them. The idea is that if you have enough layers of security, the holes will not line up and you will have a secure system.

Another thing to consider is how to shift your security response as far left as possible in your development process, with the important caveat that you provide your developers with the tools necessary to enable that leftward shift. This is where a tool like Docker Scout can prove invaluable by providing developers with the information they need to secure their images before they are pushed to the registry.