Day 4 | Pods in Production, SideCar vs init Containers, Trivy, Kyverno

Image Security: Trivy

• The image has several layer and sometimes in one of these layers there CVE(Common Vulnarability and Exposers), in simple words a kind of backdoor is there so chances of hacking is greater.
• So we want to make sure that the image we are using must be secure.

So to prevent this there is tool called trivy

Trivy is an open-source vulnerability scanner that detects misconfigurations, secrets, and vulnerabilities in containers and other artifacts:

• Vulnerabilities: Trivy scans for vulnerabilities in OS packages and language-specific packages.
• Misconfigurations: Trivy scans Infrastructure as Code (IaC) files like Kubernetes and Terraform to detect potential configuration issues.
• Secrets: Trivy scans for hardcoded secrets like passwords, API keys, and tokens.
• Targets: Trivy can scan container images, file systems, Git repositories, Kubernetes clusters, and resources.
• Support: Trivy supports multiple formats, including container images, tar archives, and image directories.

Trivy is simple to use, and all you need to do is install the binary and specify a target. You can generate scan reports and store them long term in S3 buckets or other long-term solutions.

Two way to use trivy:

1. Manual scanning
2. Add a stage CICD pipeline

Here are some steps for using Trivy to scan an image:

1. Install Trivy: Trivy can be installed as a binary, container image, or snap package.