DEV Community

Cover image for Integrating Trivy with GitLab CI, Azure DevOps, and GitHub Actions for Enhanced Security
marocz
marocz

Posted on

Integrating Trivy with GitLab CI, Azure DevOps, and GitHub Actions for Enhanced Security

Introduction

In the world of continuous integration and deployment (CI/CD), security is paramount. Trivy, a simple and comprehensive vulnerability scanner, is a key tool for scanning your applications and infrastructure for security issues. In this post, I'll discuss how to integrate Trivy into GitLab CI, Azure DevOps, and GitHub Actions, enhancing the security of your CI/CD pipelines.

Trivy: A Brief Overview

Trivy is an open-source vulnerability scanner for container images and filesystems. It's easy to integrate into CI/CD pipelines and provides comprehensive vulnerability detection.

Trivy is a comprehensive and easy-to-use vulnerability scanner designed for modern CI/CD pipelines. It specializes in scanning container images and filesystems for security vulnerabilities. Here are some key features that make Trivy stand out:

  1. Wide Range of Vulnerability Detections: Trivy can detect vulnerabilities from various sources, including OS packages (Alpine, Red Hat, etc.) and application dependencies (NPM, RubyGems, etc.).

  2. Simple Installation and Operation: Unlike other scanners that require pre-requisites or complex setup, Trivy is easy to install and can be run with a single command, making it ideal for integration into CI/CD pipelines.

  3. High Accuracy: Trivy minimizes false positives and negatives, providing reliable and accurate scanning results. It regularly updates its vulnerability database to ensure it can detect the latest known vulnerabilities.

  4. DevSecOps Friendly: Trivy fits perfectly in the DevSecOps model, allowing developers and security teams to work together. Its integration into CI/CD pipelines ensures that security is a shared responsibility and part of the daily workflow.

  5. Comprehensive Reports: Trivy generates detailed and understandable reports, making it easier for developers to identify and address vulnerabilities.

Integrating Trivy with GitLab CI

GitLab CI/CD is a powerful platform for automating your software development process. To integrate Trivy with GitLab CI, follow these steps:

  1. Create a .gitlab-ci.yml File
    Start by creating a .gitlab-ci.yml file in your repository. This file defines your CI pipeline.

  2. Add Trivy Scan Job
    Within the .gitlab-ci.yml, define a job for Trivy scanning:

   trivy_scan:
     image: docker:latest
     services:
       - docker:dind
     script:
       - docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $(pwd):/root aquasec/trivy:latest image <your_image_name>
     only:
       - master

Enter fullscreen mode Exit fullscreen mode

Replace with the name of the Docker image you want to scan.

Integrating Trivy with Azure DevOps

For Azure DevOps users, integrating Trivy into your pipelines is straightforward.

Edit Your Azure Pipeline

In your Azure DevOps project, edit your pipeline YAML file.

Add Trivy Task

Add the following task to your pipeline:

- script: |
    docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $(System.DefaultWorkingDirectory):/root aquasec/trivy:latest image <your_image_name>
  displayName: 'Run Trivy vulnerability scanner'
Enter fullscreen mode Exit fullscreen mode

Again, replace with your Docker image name.

Integrating Trivy with GitHub Actions

GitHub Actions makes it easy to automate all your software workflows. To add Trivy scanning to a GitHub Actions workflow:

Create a Workflow File

In your repository, create a new file under .github/workflows/ (e.g., trivy-scan.yml).

Define the Trivy Scan Workflow

Use the following template for your workflow:

name: Trivy Scan

on:
  push:
    branches: [ master ]

jobs:
  trivy_scan:
    runs-on: ubuntu-latest

    steps:
    - name: Check out code
      uses: actions/checkout@v2

    - name: Run Trivy vulnerability scanner
      run: |
        docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $(pwd):/root aquasec/trivy:latest image <your_image_name>

Enter fullscreen mode Exit fullscreen mode

Modify to match your Docker image.

Conclusion

Integrating Trivy into your CI/CD pipelines is a crucial step in identifying and mitigating vulnerabilities early in the development process. Whether you're using GitLab CI, Azure DevOps, or GitHub Actions, adding Trivy ensures that your deployments are more secure and reliable. Stay vigilant and proactive in your approach to software security!

Image description

Top comments (0)