Getting Started With Trivy and Jenkins

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

getting started with trivi and jenkins [Music] when you are assembling your application you usually start with your build tools such as maven or npm next you probably do some sort of static analysis against your code using a tool such as sonar cube but have you reached the point yet to where you're using a vulnerability scanning tool for your artifacts one option is trivi from aqua security in this video we're going to look at how we can use trivi inside of a jenkins pipeline here's today's starting point i have a jenkins lts controller it's version 2.303.3 attached to this controller i have a linux based agent running docker and i also have the trivi binary installed we're also using a sample repository today the sample repository is linked down in the description and this sample repository is one that i've used in other videos but i'm using the trivi branch today so if you go take a look at the sample repository make sure that you pick the trivi branch now what we have is a very simple spring boot application that is going to be packaged as a container image so we have a docker file and we have three different jenkins files that we're going to be going through in this example and as you can see in this docker file we're using multi-stage builds so we're going to be doing all of our maven build within this docker build image and then the build image just like you would do in a multi-stage build the necessary contents for that image are copied into our final image so let's go over to our controller and set up the job for jenkinsfile 1. so we'll go here new item we'll call this java web app pipeline okay we'll use pipeline from scm change this to get paste in our repository url and we are using the trivi branch and finally we're going to do jenkins file dash one before we run this let's go take a look at what jenkins file one is so what we're going to be doing is a docker build and then we're going to be scanning using trivi our image that we built so we're doing a docker build for darren pope slash java dash web dash app colon latest and then we're going to be scanning that same image so let's go back over to our controller and let's go ahead and click on build now and as this starts up we see our docker build we're doing our build and this will take just a few moments so we'll fast forward through this and now that the build completed we have trivi running against our image so let's scroll up and take a look at the output here what we see is it gives us a need to update db there is a database behind trivi that allows it to figure out what kind of vulnerabilities might be there so if you don't have a fresh version of the database it's going to automatically by default download that database for you and then from there we have our progress so this is sort of ugly when you're looking inside of jenkins but go with me for a few minutes at least we know it's making progress then we see that it found alpine which is our base image based on the open jdk image that we're using it's checking for alpine vulnerabilities and then it also found some jars because we built a java based app using spring boot and what we see here is within our alpine image there were no vulnerabilities found so all five here unknown low medium high and critical all are all zeros but we found within the jars we found one jar that has a medium severity but let's scroll back up here for just a minute let's think here for just a minute and say that okay we want to clean up our output here within our build we can suppress our progress which is good we'll go through and do that in a moment and we also want to only be able to track both high and critical so we want to go ahead and ignore anything less than high so how do we do that if we go back over to our repository and take a look at jenkins file 2. here's what we have we have no progress so that will suppress the progress output that happened in our log we're specifying the severities that we want to report on in this case it's a common delimited list and right now we're specifying just high and critical and we're also including exit code 1 and what exit code means is this will be the exit code that's returned if trivia finds anything in the case of high or critical and it will return it as a failure so the exit code will be one by default exit code is always zero but in the case of a failure and i'm defining failure as i found either a high or critical then i want to go ahead and return an exit code one and since we're running this through a shell step then if an exit code one is returned then our job will fail which is what we would want we would not want any other processes to continue on after a failure so let's go ahead and modify our job to use jenkinsfile2 and let's see how the output changes so we'll go back here configure and go to jenkinsfile 2. and let's go ahead and do a build now so if we take a look at two this is going to run a lot faster because we have things cached at this point so we built our image we see our no progress exit code 1 severity high and critical we don't see a progress bar if you will as we go through the log output and we only see highs and criticals listed for both the alpine scan and our jar scan so at this point everything is successful now when we ran that first job we saw that we had a medium severity item pop up during the scan well let's say that we've now changed our processes and we want to include not only criticals and highs and make sure that we have zeros of those but we also want to have zero mediums so critical high medium if we find any of those we want this job to fail so what we want to do is go take a look at our jenkins file 3 which is just adding medium to our severity so this is exactly the same as jenkins file 2 except for medium so let's go back over to our job make the change whoops hit the wrong thing here configure there we go and let's go and change two to three now that other job is finished already so that's good so let's go ahead and now run this one so we'll click on build now if we take a look at the output run of 4 we see that it failed and why is that well we added in a medium severity so we're saying okay we're looking for medium high and critical we didn't find anything of those within the alpine scan but within the jar we found one medium and since we specified an exit code of one then when trivi completed it returned an exit code of 1 which signaled back to our controller the sh step that this failed and that's now why we have a failure within this job now everything we've demonstrated up to this point is just scanning our final image but what if you wanted to be able to scan your intermediate image your business rules may have changed to where now not only your final images have to pass vulnerability scanning but also your intermediate images that you're using in that multi-stage build also have to pass but what we can do if we go back over to our docker file is i had some commented lines in here and what we can do is we can add in the trivi scanner to scan our build image so if you remember back from here we're saying from adopt open jdk 11 as build but now i can scan even that because when maven does this build here it's going to be pulling down lots of different jar files and other items that support maven and some of those items might be considered vulnerable and we would want to try to resolve those if we possibly could but what we're going to see here in this scan is something a little bit different up to this point we've just been saying trivia and the image name and that's actually shorthand for trivia image and then the image name there are multiple different ways you can run trivi and if you see here in line 15 we're going to run trivia root fs and that's going to be looking across the whole image so from root checking for alpine checking for jars checking for everything so let's go ahead and save this file and commit it up to our repository and let's go ahead and run this job so we're saving this we've pushed it up let's flip back over here to our java web app we're going to leave our jenkins file 3 in place the only change that we've made is to our docker file so if we go ahead and click on build now when we take a look at the output for five we can see that we're doing our docker build that's normal here's our as build but then we get down to these steps from build as vol scan then we're copying trivi from the trivi image into our intermediate container and then we're running trivia root fs not showing the progress bar going against root now we're also not changing our exit code at all so whether this passes or fails it's always going to succeed so needed to update the database detected os it found some go binaries it's checking for jars because within our final image we didn't have any go dependencies all we had was just java if we take a look here our alpine image is actually all okay but if you look within jars we see lots of potential problems we have five criticals ten highs five mediums and three lows these range from something as low with guava to the point of doing something with commons i o for from two two to two six many different items here but again we're going to assume because our intermediate container is thrown away we really don't care long term but we want this information so we can make a decision going forward of okay how tightly secure do we want our intermediate containers to even be so we'll go ahead and scroll through the end of that it removes the intermediate container so that's all gone we build our final container image and then we take a look at it and then we're back to our normal medium one with just the jakarta-el item in addition to being able to scan container images trivi gives you the ability to scan a local project including language specific files it also gives you the ability to scan a root fs just like we saw just a few moments ago but that can be a virtual machine image it could be a host machine or even an unpacked container image file system you can also scan a remote git repository so at this point it's up to you is it time to add vulnerability scanning to your pipeline or not if you have any questions or comments you can reach out to us on twitter at cloudbees if this video was helpful to you give us a thumbs up and if you haven't subscribed to cloudbees tv yet why not take a moment click on that subscribe button and then ring that bell and you'll be notified anytime there's new content available on cloudbees tv thanks for watching and we will see you in the next video

Info

Channel: CloudBeesTV

Views: 6,882

Rating: undefined out of 5

Keywords: darin pope, jenkins, jenkins tutorial, trivy scanner, trivy container scanner, aqua trivy, aquasecurity trivy, trivy vulnerability scanner, trivy aqua, trivy security, trivy scanner jenkins, trivy aqua security, trivy docker scanner

Id: MWe01VdwuMA

Channel Id: undefined

Length: 12min 52sec (772 seconds)

Published: Tue Dec 14 2021