Skip to content

Understanding Container Image Security with Anchore and Trivy

Understanding Container Image Security with Anchore and Trivy

In today's world of containerized applications, ensuring the security of container images is paramount. Two powerful tools that aid in this process are Anchore and Trivy. This blog post delves into what these tools are and how they can be used to analyze and secure container images.

What is Anchore?

Anchore Engine is an open-source project that provides a centralized service for the inspection, analysis, and certification of container images. It is available as a Docker container image that can be run standalone or within orchestration platforms such as Kubernetes, Docker Swarm, Rancher, Amazon ECS, and others.

Summarizing Vulnerabilities with Anchore

To process Anchore vulnerability reports and get a summary of vulnerabilities, you can use the following script:

for i in *-vuln.json; do
    echo $i >> scan.log
    jq -r '.vulnerabilities[].severity' $i | sort | uniq -c >> scan.log
done

What is Trivy?

Trivy (pronounced "tri" like trigger and "vy" like envy) is a simple and comprehensive scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues. Trivy detects vulnerabilities in OS packages (e.g., Alpine, RHEL, CentOS) and language-specific packages (e.g., Bundler, Composer, npm, yarn). Additionally, Trivy scans Infrastructure as Code (IaC) files such as Terraform, Dockerfile, and Kubernetes manifests to detect potential configuration issues that could expose your deployments to risk.

Generating a CSV Summary with Trivy

To process Trivy JSON reports and generate a summary in CSV format, you can use the following script:

for FILE in *.json; do
    jq --compact-output --raw-output '.[] | select(.Vulnerabilities) | {type:.Type, class:.Class, vulnerability:.Vulnerabilities[]} | [.type, .class, .vulnerability.VulnerabilityID, .vulnerability.Severity, .vulnerability.PublishedDate, .vulnerability.LastModifiedDate] | @csv' ${FILE} | awk -v NAME=${FILE} '{print NAME, $0}'
done > output.log

The final output can be found in output.log.

References

  1. Anchore Engine GitHub Repository
  2. Trivy GitHub Repository

By leveraging Anchore and Trivy, you can enhance the security of your containerized applications, ensuring that vulnerabilities are identified and addressed promptly.