DEV Community

Cover image for 🚀 DevSecOps ⚙️: "A Deep Dive into Scanning External Docker Images with Aqua Trivy in Amazon CodePipeline" 💭
Sarvar Nadaf for AWS Community Builders

Posted on • Edited on

🚀 DevSecOps ⚙️: "A Deep Dive into Scanning External Docker Images with Aqua Trivy in Amazon CodePipeline" 💭

Hello There!!!
Called Sarvar, I am an Enterprise Architect, Currently working at Deloitte. With years of experience working on cutting-edge technologies, I have honed my expertise in Cloud Operations (Azure and AWS), Data Operations, Data Analytics, and DevOps. Throughout my career, I’ve worked with clients from all around the world, delivering excellent results, and going above and beyond expectations. I am passionate about learning the latest and treading technologies.

I hope today is going well for everyone! As you might guess from the article's title, we are currently looking at Aqua Trivy, a DevSecOps tool. Since our customer is from the finance domain, our client insisted on having DevSecOps technologies implemented at every level of CICD process while I was working as an enterprise architect. The client requested that he perform and investigate whether any docker images that are pulled from the outside of the internet have vulnerabilities. We have a number of Enterprise and open source products available on the market that are specifically tailored to this requirement, but we have chosen to use an open source tool. After doing some research and analysis, we have chosen Aqua Trivy since it has many capabilities and quick scanning options. We will quickly explore what Aqua Trivy is and begin exploring how we use the Aqua Trivy tool in Amazon CodePipeline.

What is Auqa Trivy?

Specifically created for docker image and dockerized apps, Trivy is an open-source vulnerability scanner. It helps developers and system administrators maintain the security of their containerized environments by locating and reporting security flaws in container images and their dependencies. Through the use of an extensive vulnerability database and quick, automated scans, Trivy accomplishes this goal, allowing customers to promptly address and mitigate security issues in their containerized installations.

Let's See How we can Integrate Aqua Trivy with Amazon CodePipeline:

A few things before we begin this process of integrating Aqua Trivy with Amazon CodePipeline. We are looking into this step-by-step. Let's get started. I'm going to assume that you have enough experience with Amazon CodePipeline and related services. Finally, I'll show you a demo of Continues delivery using Amazon Codecommit and Continues build using Amazon CodeBuild.

GitHub URL - Link

Step 1: Configure CodePipeline & Push Two Files.

Here, we've created a repository named Trivy-Test, which contains the two files you can see below: buildspec.yml, which will help in performance build, and Dockerfile, which will fetch the Docker image from DockerHub.

Image description

Dockerfile



FROM alpine:3.10.0
#FROM ubuntu


Enter fullscreen mode Exit fullscreen mode

We are getting two docker images from the above dockerfile: one is Ubuntu, which is a non-vulnerability image, and the other is Alpine, which has vulnerabilities. One thing to note is that the second Docker image has been commented out to observe the behavior of the Aqua Trivy.

Buildspec.yml



version: 0.2

phases:
  pre_build:
    commands:
      - apt-get update
      - apt-get install -y awscli
      - apt-get install wget apt-transport-https gnupg
      - wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | apt-key add -
      - echo deb https://aquasecurity.github.io/trivy-repo/deb bionic main | tee -a /etc/apt/sources.list.d/trivy.list
      - apt-get update
      - apt-get install -y trivy
      - aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 123456789012.dkr.ecr.us-east-1.amazonaws.com
      - REPOSITORY_URI=123456789012.dkr.ecr.us-east-1.amazonaws.com/test
  build:
    commands:
      - docker build -t $REPOSITORY_URI:success .
  post_build:
    commands:
      - trivy image --exit-code 1 --severity HIGH,CRITICAL $REPOSITORY_URI:success
      - docker push $REPOSITORY_URI:success



Enter fullscreen mode Exit fullscreen mode

We are doing the actual Trivy Scanning for Docker Images here in the buildspec.yml file. A few things to keep in mind when making changes to this file are to obtain the login URL from Amazon ECR so that the uploaded image will be pushed to ECR when scanning is finished. ECR is completely optional; you are free to ignore it or not participate at all. In addition, we are installing Trivy from the official Git repository and have configured an exit code that will enable us to stop the build in the event that Trivy discovers a vulnerability during the Docker scanning process. I'll demonstrate an example of how the scanning result appears below.

Step 2: CodeBuild Configuration
The codebuild process is pretty straightforward; we don't customize anything; instead, we primarily use the standard default options, of which I've listed the most significant ones below.

  1. Your codecommit repository, which contains your buildspec.yml and dockerfile, must be the source.
  2. Operating system shall be Ubuntu standard:5.0, and environment must be managed image EC2.
  3. Enabling privillaged is recommended.
  4. Service role Simply make a new one for this, then after the build is formed, add an ECR full access policy to the build role that was just made.
  5. Build specifications Use a buildspec file Option.
  6. Click on Create Build and leave the rest as is.

Step 3: Create Amazon CodePipeline to Automate Workflow (Optional)
You must be wondering why this step is optional because we can directly run the codebuild that we have created just now. Anyway, this step is also straight forward: just select your code repo and branch which you have created on step 1 and move to select the build project that you have created on step 2, and at the rest stage, you may skip and complete the code pipeline.

Your CodePipeline May look like this:

Image description

Step 4: Let's Trigger CodePipeline to Perform Aqua Trivy Scanning on Alpine:3.10.0 Docker Image.

I'll get you a screenshot of the codepipeline after it runs. Remember that we are scanning Alpine:3.10.0, which has vulnerabilities. If Trivy discovers any High or Critical vulnerabilities, the code build stage will fail because we have set the exit code. Here is a screenshot of the codebuild output.

Here Aqua Trivy Found High and Critical Vulnerability:

Image description

Here You can see the detailed information about the Vulnerability:

Image description

Here Exit Code exit and failed the build:

Image description

Here you can see CodeBuild is Failed Due to Trivy found vulnerabilities:

Image description

Step 5: Now check Non-vulnerable Docker Image to check Behavior of Aqua Trivy:
Here, we're just going to uncomment Ubuntu and comment Alpine:3.10.0 in the Dockerfile, allowing Trivy to scan the Ubuntu image and Codebuild to retrieve it from Docket Hub. Just remember that the build stage will be successful because Ubuntu is not vulnerable. Here is a screenshot of the CodeBuild output.

As you can see now there is no Vulnerability found by Aqua Trivy in Ubuntu Docker Image:

Image description

Here you can see Both Codecommit and CodeBuild is completed successfully:

Image description

Conclusion: As this article explains, the integration of Aqua Trivy with Amazon CodePipeline provides proof of the DevSecOps proactive strategy for CICD security. By selecting an open-source tool designed specifically for analyzing Docker images for vulnerabilities, i showed that we can quickly detect and mitigate security threats before they were serious. In addition to automating the workflow, the smooth interaction with Amazon CodeBuild and CodePipeline guarantees that security checks are a necessary and automated step in the software delivery process. I demonstrate our dedication to strong security procedures by providing a real-world example of checking Docker images for vulnerabilities and stopping the build upon identifying serious concerns. This is especially important in industries like finance where strict security protocols are essential.

— — — — — — — —

Here is the End!

Thank you for taking the time to read my article. I hope you found this article informative and helpful. As I continue to explore the latest developments in technology, I look forward to sharing my insights with you. Stay tuned for more articles like this one that break down complex concepts and make them easier to understand.

Remember, learning is a lifelong journey, and it’s important to keep up with the latest trends and developments to stay ahead of the curve. Thank you again for reading, and I hope to see you in the next article!

Happy Learning!

Top comments (0)