Getting started with Security Scanning | LIVE Trivy Tutorial

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hi everybody um i had a minor hiccup with the audio i don't know if you could hear that i think you could hear that um and kind of play the double but hi everybody um welcome to the aqua open source youtube channel my name is anna's i'm the open source developer open source developer advocate here at icra um yeah awesome um i don't expect this to be a huge live stream so in this live stream i basically gonna showcase how to get started with trivia our all-in-one open source security scanner uh i'm gonna host this live stream probably on a bi-weekly basis and every other week we're gonna then have a live stream of somebody from the team so we're gonna get that started um so if you're watching this afterwards you can always um i mean this is basically here on the youtube channel just for educational on tutorial purposes um but if you're watching this afterwards on our youtube channel then yeah we're gonna have probably these live streams on a bi-weekly basis so do make sure to subscribe to our youtube channel uh if you would like to be notified about future live streams of this sword and other live streams i'm working on getting a live stream up for next week with one of our uh newest team members and i'm saying newest team members he's part of the team since like about two months now but um i just recently got to learn that he was actually contributing to our open source tools for like over a year or so before he then joined on our team full time so we're going to have a live stream with jose probably hopefully next week and hear about his contributor experience so make sure to subscribe to this youtube channel to be notified about that now in this live stream i'm going to showcase how to get started with 3d so let me share my screen for that um if you're watching this afterwards feel free to either join our slack channel if you have any questions or uh just drop them in the comments and you will answer them in the comments but otherwise you can also join these live streams live and then i can address your comments your questions live right which is obviously more interesting um then afterwards so uh trivia security right trivia uh our security scanner security's kinda trying to talk and type at the same time um now why do we want to use a security scan in the first place what is a security scan all right as engineers you are probably using lots and lots of different types of resources right and i'm just gonna draw a bunch of boxes and they're gonna refer to different types of resources um that you all have to kind of juggle as as an engineer um now i'm referring specifically in this case to engineers not devops engineers but engineers might um have libraries they have to deal with um they might have um third-party code they have to verify of like what's going on there uh they might have other resources any types of resources right that they have to verify throughout the development uh life cycle for developing an application right now as engineers you would want to scan any resources that you're using for security issues right so any of these resources might have security issues within them could be right you don't know if you're using third-party resources do you trust the author of those resources just by default or do you verify by yourself that what you're using what you're looking at is actually legit right um so you would want to get started with a security scanner to scan um your code your code and other people's code for security issues right um now once you've developed the application so the first part is the app and then once you've developed the application you want to pack it up right and basically put it into a format that you can use to deploy it such as in a container um so you can contain rsc application and then you can use that container image to deploy your application um now at each of those stages you will have to deal with different resources so while when you're developing the application you will have to deal with third-party resources to develop the application you might um have to you for sure will use other people's libraries uh depending on the code base that you're using but um yeah so you will deal at each stage is with different types of resources and i'm typing a minimum here right now so i can talk about it but then once you pack it up so once you're defining a container image in a docker file you would deal with other types of resources so you would deal for example with choosing a base image for your own container image right so you at each stage you're using different types of resources um now whether you're working by yourself or in a team depending on that you will work with different types of resources so let's just clarify this image here for the people who are joining and who might skip ahead so we have our 2v security scanner and ultimately this is everything that we're going to talk about within that so you have different types of resources and in those resources you might have security issues right that you want to discover between them right anything that might might be going on in those resources so before you use them you want to check them then here you have your development process of developing the application packing it up and then let's say um deploying the application so um i hope i have enough internet and i'm not breaking up but uh fun having a live stream uh so you have different uh processes of like the audio developing and deploying to deploying the application and in each stages you deal with different resources that's ultimately talked about so at the beginning you might have um the engineers ultimately checking resources and this is not showing up can you see it you can just see it um and then you have maybe the devops team and then you might have a separate security team or you might not have right depending on who you are right depending on what the size of your team is and you will use different tools right you will use different tools for your testing as a like as an engineer bruce is in your devops team or versus in your security team however jv is basically a security scanner that you can use at each stage to check your resources for security issues and misconfiguration issues now in this live stream we're going to focus on getting started with trivia um just installing it and getting started scanning container images uh with trivi for security issues now when you join these live streams um and you want to ask questions in the chat you have to subscribe to our channel any time period and then you can uh interact and ask questions in the comments now let's head over to trivi uh because ultimately when you install trivia let's go ahead where is trivi um yeah so this is trivi and trevi does a lot of different things now in this tutorial we're gonna focus on container images scanning container images for security issues and then scanning infrastructures code specifically dockerfi for misconfiguration issues that's what we're doing today now in the next live streams i'm gonna focus on other parts of trivia basically each time another part also if you have any questions then we could host a live stream or a tutorial specifically answering your questions as well um so this is basically just a resource to get started now here's a quick second on how you could get started installing trivia in the readme that's one part where you can check it out the links to getting started with trivia is below in the description i will add probably more links after this live stream um so you can install trivia in multiple different ways now if you are unclear about installation options here or you would like more details more information then you can head over to our documentation which i already had open but here's our documentation now bear in mind that when you're watching this live stream our documentation might have changed so we might have different uh different set up here or different wording used for the titles um or similar and the images are not loading which i will have to fix afterwards but ultimately getting started uh in the getting started section you will find our installation guide and here's our installation guide so as you can see depending on your operating system there are different ways on how you can go ahead and install um install trivia now i'm on regulars so i used homebrew to install it it's pretty straightforward command just installing 2v now depending on your environment you would want to use maybe a different installation guide you could also run trivia through its container image directly now we just released the latest release of trivia 20 0.29.2 um so if you're on all the versions um the commands that i'm showing you today will probably still work like they are but um future commands or other commands within the documentation will likely be different so make sure to update um trivia ucli tool there so let's go ahead to our terminal when i find it uh here we go so once you have installed 3d you can check for example the version well if you just type trivia you're provided with the version and then you can see a list of different commands on how you can get started now i'm in directly interacting with the cli tool right so going back to our original drawing trivia comes both as a cri tool let's go to installation installation so it comes both as cli and an operator and then the trivia operator so in this tutorial we're going to focus on the cli tool and let me remove this brand thing can i do that i can't do that oopsie um never mind then oh here we go okay so um so to installation ci tool and this is basically you use the ci mainly when you're early on in your development life cycle or if you want to um focus on scanning specific resources that's when you use the cli tool um so for specific resources for example that's when you use the cli and it's usually usually used by engineers so or individual developers or also cluster admins we will get to that in a second but when you're getting started with trivia and you understand specific engineering resources you would first use the cli tool ultimately you would install it inside of your inside of your terminal and then you would use it directly through your terminal um now this is as you can see focus on different kind of developers to for example devops engineers devops engineers would maybe use instead of the cli tool they would use the cli tool but inside of a cicd pipeline so depending on where you want to use and how you want to use truly and who you are you will use trivia in different ways to scan your resources for security issues now at the beginning i mentioned you would go ahead and just install the cli and go ahead and scan specific resources through the specific commands so for example with 3v image we can scan specific container images for vulnerability issues so you just basically say trivia image or truevi you can also use the short version and then the image name the container image name so for example we can scan um this container image trevi image ubuntu 20.04 and then it goes ahead and scans the container image for vulnerabilities now this is the output that you provided through the cli tool and in here you can see that we have several different types of vulnerabilities first the vulnerability itself the cv descript then we have the severe team is it low medium high or unknown or critical as well we have that as well and an installed version that has the vulnerability and then there's a fixed version so if the vulnerability already has a fix available then we provide it with the fixed version so for instance this medium vulnerability here already has a fix available now we can also go ahead and we can open up um this link to have additional um information on the cve of what it is and we can look at it and see does it actually affect us now in future live streams i can show you some plugins that you can use with trivia to actually um have it easier to identify whether or not a vulnerability affects you and your resources um but yeah so this is what you're provided with when you do your first container image scan now the thing is in lots of scans you operate with lots of different information right so if you say trivia image scan ubuntu then depending also the size of the container image uh you might be afraid of a very long list of vulnerabilities and a lot of these vulnerabilities might not be tailored to you they might not you might not um they might not affect you right or you there might not be a fix available right most of these vulnerabilities here they don't have a fix available so we can add a flag called ignore unfixed and this is probably one of the most common flags that you will use with trivia so we could say trivia image scan and then ignore unfixed and then the image name that we want to scan and this is basically our previous image scan and then we can scan the same container image but in this case we say we only want to see the vulnerabilities that already have a fix available for them and now we can see there's only there are five uh total vulnerabilities um all medium and they're all related to the same um cv so instead of having this very long list of vulnerabilities that we can't even fix yet um we have a shorter list now of the vulnerabilities that already have a fix available now where do those vulnerabilities actually come from that trivia is scanning for right let's take a look at that so when you run this skim uh trevi will scan your the well the resource in this case the container image against its list of vulnerabilities like it's against its um vulnerability database and this vulnerability database has information that are comprised of for multiple multiple different resources and it's periodically every six hours updating its database so we can head over to trivia database which is also an open source project within aqua security and ultimately trivia is using this trivia database for its vulnerability scans so it's another cli tool but you wouldn't use it directly in most cases unless you want to do any like changes of it um or if you for example want to have an air gap environment where you manipulate the database in a specific area of your environment and then trevi is using it without trivia actually having access um to the outside world you would maybe then use to read the trivia database but in most cases you wouldn't interact with the trivia database directly it's just to let you know where do those actually come from so the vulnerabilities are information from these different resources there are multiple different resources i don't even know the different visas where it's pulling from but it's basically pulling from a list of vulnerabilities and it's updating every six hours so if you're using uh trivia for example and you see icd pipeline so like we've seen here you can use it in ucid public or sci tool or anything else it will basically update its database periodically every six hours you don't have to manually update the database you can know that every six hours the database is updated and then it will compare it the vulnerabilities that are found with any resources against its most up-to-date um against this most up-to-date uh list of vulnerabilities that it pulled from right so the ignore and fix flag is basically the flag that you would run want to use the most uh lift tv when you scan a container image for vulnerabilities now in addition to the ignore unfixed flag we can also filter for the severity of vulnerabilities now in this case i'm going to remove this um but we can say that the severity where do i have it should be for example high or critical and that means that we really want to see only those vulnerabilities of high or critical um severity labeled right so in many cases um unknown or low vulnerabilities they might not affect us or we might not want to maybe pay attention to them in the immediate in the short term right so let's assume you have a very like a large scale environment with lots and lots of different resources and you scan all of those different resources for vulnerabilities right you wouldn't want to pay attention to every single vulnerability right away if you bombarded with vulnerabilities and a comment that we get quite a lot regarding our open source tools is um that it's quite difficult to filter four different vulnerabilities like it's very difficult to know actually um like which vulnerabilities you know what you're paying attention to with vulnerabilities you should pay attention to this is all something you would have to do manually through the trivia or mostly manual through the trivia open source version for the 3p open source project now aqua enterprise is offering also an 3d premium option where it's providing similar features and functionality but it's in a more managed automated way where for you so you are actually provided with options to automatically update for example your repositories your libraries and so on depending on the recommendations uh on the fixed versions and so on um versus with trivia with the open source version you would have to do that quite manually yourself oh no i put it away um so if you scan in this case for high and critical vulnerabilities in this container specifically there are no high in critical vulnerabilities so what we could do is when we scan for container images we could for example in our ci cd pipeline we could say that whenever we push to main if trivia finds any critical if critical vulnerabilities then um the build fails for example then we can't um push the updated container image or something of our application uh to our container registry so we could have done additional rules automated rules for our csd pipeline that identifies if there is a new critical vulnerability we shouldn't um be able to let our builds pass for instance now through the cli tool if you're using a cli tool um it allows you to filter for example in any of the resources you're using for critical and high vulnerabilities and if you can fix them yourself you can do already a fix before you actually before you even push um two main before you even make any updates to your git repository so let's assume you're an engineer right and you want to uh you're developing a new feature and then you find as part of that feature even for example you know unquote in your own resources you find critical vulnerabilities now you could make updates but if those vulnerabilities are somewhere else in third-party research then you might want to find alternatives um if just one abilities would otherwise affect you and similar so that's something you could actually do if you're using um if you're using the um the trivia cli now i see a question here if aqua security has any openings for internships um now this is a bit unrelated to the live stream but um i can just i can just comment on that other any internships there are some programs in but specifically in the um israel tel aviv office um we also have in the boston office internships but those are specific programs so i'm not sure about other internships that we offer um i would suggest you to check out our career page and then see if there are any internships listed there or um reach out to somebody from a recruitment team and see if there are any opportunities and if they match your skills uh and interests so that's that's what i would say um thank you for the question now going back to the trivia cli so you would have the git repository um and then once basically you have made any changes locally throughout your development process you can then push to the give repository and then the ci cd pipeline could run automated check additionally um so that would kind of be the process so here this part is highly manual and then this part is more automated and this part is a more automated process now if you're joining right now then this diagram might not make much sense to you um so in that case i would i would suggest you to watch the previous part of this live stream uh but ultimately to summarize at this point you have different resources that you use they are used by different types of developers different types of engineers for audio development life cycle and tv can be used in different ways you can use it for the cli tool for the ocd pipeline or as an sd tv operator now in this case we are going to focus on the cli tool now like shown you can scan specific container images for vulnerabilities that are then presented to you as a nice table as a nice database now other things that you can do you can also scan container images through for example the type of library um or no the vulnerability to either type library is it a library related vulnerability or an operating system related vulnerability so that's what you could do as well scanning that container image for those types of vulnerabilities um now let's see when it's passed um yeah what else now there are multiple different options different flags that you can pass into your tv scam however the most common ones are really the vulnerability type then unfixed vulnerabilities and the severity of the vulnerability that you want to see now here we go here we have all of the vulnerabilities listed as you can see like mentioned earlier this is really a large number of vulnerabilities so you would want to find different flags and ways that you can manage those vulnerabilities within your development process now another thing you can do is instead of scanning specific container images and this is quite a minor thing or like well major minor depending how you see it um you can also scan um get repositories any git um account bitbucket gitlab github for vulnerabilities so in this case we can um scan for library related vulnerabilities in this github repository that's by an ex-co-worker of mine and then we are provided with the list of vulnerabilities so you don't have to have access to the resources um locally let's say you can also scan remote git repositories for vulnerabilities um now this is really focused again on vulnerabilities not misconfiguration issues um now again you would find for example if you see uh if you're using this git repository you would want to check it for vulnerabilities before you actually start using it i'm going to keep an eye on the chat but uh like mentioned this is probably going to be always a very quiet live stream so you can join at any point you can join with your questions you can re-watch it um you can let us know what kind of live streams you would like to see or what you would like us to discuss in those live streams it might be just me talking in the live stream or i might ask some co-workers of mine to join me in a live stream um yeah awesome what else so in this live stream i want to focus on container image vulnerabilities scania container images four vulnerabilities but also um your darker file now as a last part i want to show you and let me just open docker hub that okay let me just open it so i'm here on docker hub and basically this is i mean this is one of multiple container registries that you could be using right you might be using docker hub you might be using another container registry but ultimately any of those images here might have vulnerability so then i will likely have one point all the other vulnerabilities within um now we can go ahead and we can scan a basic uh container image for vulnerabilities so we could for example say alpine 3.15 um if we want to use it as our face image in our docker file we could go ahead and say um chevy image and then note no it's alpine alpine um 3.15 was it right the tag and we should scan it for vulnerabilities now now in this most recent alpine image there are no vulnerabilities is covered so i would feel confident now to go ahead and use this container image with its tag as a base image for for example um a note based application um now we want to go ahead as well and scan docker files for misconfiguration issues and vulnerabilities so i have here two applications and let me just zoom in so in this basic react application this is a very basic react application i have for example docker file in other applications you will also have a docker file right now i would want to check first of all the base images that i'm using at each stage of my builds for and check those four security issues for vulnerabilities as and then once i have built the dockerfile i would want to scan my dockerfile for miss configuration issues now let's go ahead and back to our little drawing because it continues so trivia there's three main scans let me just take two several boxes to elaborate what types of skills it actually does and if you can't hear me because i'm my internet might be breaking up then please tell me uh or i will figure out after the live stream no so it can scan for vulnerabilities dennis can scan for misconfiguration issues and then it can scan issues related to your secret and secret management secret management okay so these are the main the main three types that truly will stand for now right now we scanned in this live stream first form container images for vulnerabilities that's what we just did now in misconfiguration issues what you would want to do is you would scan any configuration file any infrastructures code configuration file and that includes your docker file for any misconfigurations anything that you define in a less optimized or compromised way in your darker file um for instance so you can scan dockerfile for issues there's another resource now there are so many artifacts and resources that trivia can scan and then each live stream we will focus on different types of um of artifacts and resources these are the ones that we focus on today and we will elaborate on different types in the future so in this case for vulnerabilities for image scanning how can i move to the side here it's up and down this is bigger okay this is to the same so in the case of wallability scans the command that you would use for the cli is 3v image and then you would specify the container image like we just did right this is the command that we used for to scan our container images for vulnerabilities and then we use different flags now in the case of misconfiguration issues let me move this one a bit out of the way what you would want to do here is to say trivia conflict you would use the config flag to scan your docker file for misconfiguration issues misconfigurations configuration issues same thing i guess different way to fix pressing it so if i say trivia config and then i get all the options that i can use for to scan during my missed configuration scan now in trivia itself you can also find here trevi config scan configuration files now i know or like um i'm was made aware of uh that you would use uh depending on the terminology that you're using so far you would define configuration files differently you know for us a configuration file is anything related to defining how your application is going to be deployed and to define deployment resources so that's anything from your docker file over your kubernetes yammer manifests over terraform configuration files cloudformation anything that's related to deployments um and basically configurations of your applications that's basically defined as config in 2v so we're going to use the trivi config command and we want to scan here we have basically in this folder we have in bad infrastructure as code we have in the docker directory we have a dockerfile so we can go ahead and we can print out the dockerfile and docker dockerfile and this is our dockerfile that's that's in here in this example right this is we're using the latest image from ubuntu we are exposing a port which you probably shouldn't expose but we're gonna learn about in a second um then we're gonna put a bunch of different information in there basically it's not a very good docker file that's why it's in the bad infrastructures code um but if you're getting started with uh container images with writing your own docker files you may not be aware why it's a bad or like what is a bad or good docker file right and before you're using uh container images in production you'll probably want to have a look at the container images from other people that you want to use and that you want to deploy in your own environment so what you can do is in this case you could go ahead and say okay you want to scan this docker file before you're actually using it so you can say trevi config or conv and then the dockerfile that you want to skim and here provided with a list of high and medium vulnerabilities so one of the vulnerabilities for instance is that there is one user uh no there's not one user defined who's not the root user within that container image um built so what we're gonna do is we're gonna define the user of that um of the container within that container image i hope that's the terminology of how you say it but ultimately where is it it's here so here's our dockerfire and in this case i already have like a line that specifies the user um so this is specifying a user um in our docker file and once we uncomment that and we save it and we re-scan the same docker file with trivia we shouldn't get the user related issue anymore so as you can see before we had how many failures before we had six failures and now that we made a little improvement to our contain to our docker fan we have five failures and then you can obviously see other issues like like you shouldn't use the latest tag of your base image you should always use a specific image tag because you never know what is being pushed um to a container registry even by the maintainers even of a popular one of a popular container agencies you should always cross-check that um yeah this is ultimately what you do with the tv config command um now that's all i wanted to show for today i'm gonna keep this live streams really really light like let's say um again if you have any questions please comment them below or join us on our open source slack channel um now again everything that i showed here is open source all of the tools that i'm showing here on on this youtube channel are all open source tools such as trivi um so you can check out trivia the link to the repositories i think below otherwise i'm gonna update that um so you can check everything out by yourself try it out yourself in the next live stream we're gonna look at further misconfiguration scans of your yammer manifests as well as of your terraform configuration files um and then in another live stream you might look at cacd pipelines likely uh with 3d so different ways that you can use 3d and different resources that you can scan with trivia in the meantime if you have any questions please do let us know make sure to subscribe to this youtube channel to stay up to date with future live streams thank you so much for those who are joining either live who joined live and other people who are maybe watching this afterwards have an amazing day bye

Info

Channel: Aqua Security Open Source

Views: 3,336

Rating: undefined out of 5

Keywords:

Id: sjDA9CgYWLU

Channel Id: undefined

Length: 37min 1sec (2221 seconds)

Published: Mon Jun 27 2022