Scan any Git Repository for Security Issues with Trivy

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello and welcome back to the aqua open source youtube channel my name is anas oles i'm the open source developer at ticket here at aqua now trivia is our all-in-one security scanner meaning you can scan lots of different resources such as your container images your file systems your git repositories as well as your infrastructure as code or even running workloads within your cluster four vulnerabilities misconfigurations exposed secrets and lots lots more trivia can also do things such as asper generation and lots of other things however in this video we want to go back to vulnerability scanning and really focus on vulnerability scanning specifically of our git repositories whether those are your own git repositories or somebody else's git repository you can scan it for vulnerabilities and misconfigurations up to the previous release it would be a simple trivia repo give repository link scan but now since the previous release you can also specify either the git branch or they get commit hash to scan specific commits or specific branches for vulnerabilities misconfigurations in this video i'm going to show you exactly how to do that special thanks to shopham who contributed the additional refinement to the git repo scan command in trivia we have actually a live stream that we recorded with shopim two weeks ago on our channel if you want to learn more about their contributor experience how they got started contributing to truvi and to open those in general do check that out it was a really really interesting conversation with lots of tips by shabam thank you so much for contributing to trivia and if you're one of our contributors and you would like to be on our next live stream please do reach out the slack channel is linked below where you can reach out to us and where we can get you scheduled for one of our next live streams now here in the release note you will find the latest updates from trevi it's linked in our discussions pinned at the top here you will also find an overview we love to thank our different contributors for the features they add to trevi and when you go over to trivia to the documentation inside of docs you will find vulnerabilities scanning and git repository scanning and this is what we're going to do now now you can also find all of the different commands that i will be using in the trivia demo repository with all of different examples on what and how and why you can scan which resources now let's assume i want to get started with go and i'm looking for some example projects also to give me some inspiration of the example project that i could do to improve my skills so i googled just go example projects and i came across this example project goaling example app and this looks like a really nice app it has it has a release it has a contributor it has somebody maintaining it and last updates made on the 2nd of may 102 stars it looks like it's something that i should be able to use now without me understanding much of go i want to understand okay how what is the kind of what are the kind of vulnerabilities and misconfigurations in this go repository in this application that i should be aware of so what i could do is so i can take the url copy paste it and then i can go to my terminal and obviously i must have trivia installed just make sure you have trivia installed there are lots of installation options in the documentation also link below so once i have it installed you can find here the repository command the short term is just repo so you can just say trivia scan trivia repo and then we specify the url to the repository now once the scan is performed we can already see a misconfiguration here that there's a private key exposed in this repository we can see here kind of well it's it's covered but i'm not sure if it's actually covered also in the repository right um so i should check that and then we could see several vulnerabilities here so it has in total 11 vulnerabilities five unknown one medium and five high and then here the exposed secret so tv is also showing you if there are any secrets exposed in your repository so for example also before you commit any repository and you don't know if you accidentally still have a secret within it you could check it with trivia as well before committing uh your your own file systems or repository to get now once we've performed this scan we might want to scan a specific branch and here this repository has another branch which is called gin example and gin example is a bit older it has a failed ci cd pipeline so i'm not sure if i should be using that one right so we want to take a look at that first like after the initials can i know that i should for example take care of finding a solution of how to if i have to use a private key of how to replace the private key directly in the repository because you don't want to have private keys directly in the repository so next i want to see can i use the gen example app and we can use the same repository like the same command but we can specify the branch and we do the branch and then gin example we just specified a branch now we're going to run this and as you can see in this one there are lots lots more vulnerabilities and let me maybe make this smaller so you can see the table properly of what it actually shows you so any trivia scan will provide you with a table that displays the library that has the vulnerability or the package that has the vulnerability the vulnerability cve the number the severity of the vulnerability and that's based on several different classifications then installed version it has the vulnerability and whether or not there's a fix available for the vulnerability so for instance for these for this library issue for this vulnerability installed version here there's no fix available yet now you can find with the avd you can find more information on the vulnerability itself to understand it better and see whether or not it's affecting you or whether or not you should find like a workaround to not have this installed version in your repository so with the avd we just copy paste it and then you can find more information here the affected software the description of it the cve severity and yeah potential mitigations as well so this is providing you lots of information again you don't have to be a security expert to scan for your git repositories for vulnerabilities right so as you can see this specific branch that we scanned there are actually 41 vulnerabilities instead of 11. so there are lots more so if i really want to use this example repository i should probably use the other the main branch instead of the gin example branch right and this is kind of how you navigate yourself through a new repository and understand how to use it and how to not use it or things that you should keep in mind before using it right now going back to the example in addition to that you could also specify the specific branch the specific commit hash so in this case for example we can find the commit hash here of the latest commit and we could do take that and then we can just specify 3d paper and then commit comment repository name and we run it it should show us the same result because this is the latest commit to the gin example branch so it should also show us 41 vulnerabilities within and that's exactly what it does that's what i expected it's exactly the same if you would check in this case the genetic sample branch but in some cases for example if you're checking somebody's pr you want to see whether or not their pr is for example introducing new vulnerabilities to your to your repository right before accepting the pr and maybe then when you reviewed it pr you could give the people additional suggestions on how to fix vulnerabilities or to take care of the vulnerabilities before you actually merge the last thing that we can specify is the tag so if we say git trivia repo and then tag we can specify the tag that we want to be using so for instance here is version the release version version 0.0.6 so we can copy that and then we provide again our repository link and this is going to scan it now this should have as many vulnerabilities 11 as the main branch that we scanned at the beginning right because it's the this is the latest release and it doesn't seem like there have been any updates since them now now we want to compare the latest one with version 0.0.5 and see if there have been more vulnerabilities i would assume there have been more vulnerabilities in one of the latest releases earlier releases and in this case we can see that asymmetric private key has always been there kind of also before been there and then we can see that the previous release before that not the most recent one has actually 35 vulnerabilities so a lot more so that just shows you use the latest release the latest versions and this is really how you can now specify with treev this is not just the specific git repository you want to scan but also the branch the commit hash or the tag you can also scan private repositories just by specifying the github token your github token as like an environment variable and then trevi will have access to the private repositories of that account again i really hope this was useful and gave you an overview of how you can scan your git repositories more specifically they get branch commit or tag of your git repositories again thank you so much for shopping for contributing it to trivia and expanding the functionality of the trivia repository command do check it out see if you can use it the next time that you decide upon using somebody else's example project or similar before you're using any library out there i hope to see one of our upcoming videos we also have a weekly live stream with our contributors and other people in the open source space so do consider subscribing to our youtube channel if this video was useful please do give it a thumbs up give trivia style on github it would mean a lot to us have an amazing day and i hope to see you next time bye
Info
Channel: Aqua Security Open Source
Views: 8,032
Rating: undefined out of 5
Keywords: DevSecOps, container, DevOps, Cloud, CloudEngineer, container security, vulnerability scans, Cloud Security, security reports, monitoring, observability, security by example, devsecops tutorial, kubernetes tutorial, helm, kubernetes helm, helm charts, Helm Charts, Configuration Audits, scan git repository, vulnerabilities, Git, Git Branch, Git Security Scanning, Git security, git remote repository not found, devsecops for beginners, GitHub, GitLab, Scan Git repositories, github security
Id: glrfTtiJ7fE
Channel Id: undefined
Length: 11min 40sec (700 seconds)
Published: Wed Aug 24 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.