{"id":141,"date":"2022-11-19T14:13:00","date_gmt":"2022-11-19T14:13:00","guid":{"rendered":"http:\/\/blog.firatyasar.com\/?p=141"},"modified":"2023-03-19T14:19:28","modified_gmt":"2023-03-19T14:19:28","slug":"find-vulnerabilities-with-trivy-and-publish-them-in-azure-devops","status":"publish","type":"post","link":"https:\/\/blog.firatyasar.com\/?p=141","title":{"rendered":"Find Vulnerabilities with Trivy and Publish Them in Azure DevOps"},"content":{"rendered":"\n<figure class=\"wp-block-image\"><img src=\"https:\/\/miro.medium.com\/v2\/resize:fit:1400\/0*VcpQhiBH78YBTiqs.png\" alt=\"\"\/><\/figure>\n\n\n\n<h1 id=\"547e\">What is Trivy?<\/h1>\n\n\n\n<p id=\"bf02\">Trivy (<em>tri&nbsp;<\/em>pronounced like&nbsp;<strong>tri<\/strong>gger,&nbsp;<em>vy<\/em>&nbsp;pronounced like en<strong>vy<\/strong>) is a simple and comprehensive scanner for&nbsp;<strong>Container Images<\/strong>,&nbsp;<strong>Rootfs<\/strong>,&nbsp;<strong>Filesystem<\/strong>, and&nbsp;<strong>Git Repositories&nbsp;<\/strong>to detect vulnerabilities.<\/p>\n\n\n\n<h1 id=\"211a\">Why We Need Trivy?<\/h1>\n\n\n\n<p id=\"e3e7\">A short-term problem we face is checking vulnerabilities in our container images, Git Repos and Filesystems. Some research needed to be done to find a suitable open source vulnerability scanner. And we met Trivy after a couple of research.<\/p>\n\n\n\n<h1 id=\"f692\">What Can Trivy Do?<\/h1>\n\n\n\n<p id=\"4000\">In a simple way of explanation, Trivy can detect vulnerabilities of OS Packages and language-specific packages. Aside from that, it can also scan IaC files like Terraform and Kubernetes, and it can be pretty handy to detect risky configurations that can open the deployments for attacks.<\/p>\n\n\n\n<h1 id=\"8303\">How to Install Trivy?<\/h1>\n\n\n\n<p id=\"4b8a\"><strong>Install Script<br><\/strong>This script downloads Trivy binary based on your OS and architecture.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>curl -sfL https:\/\/raw.githubusercontent.com\/aquasecurity\/trivy\/main\/contrib\/install.sh | sh -s \u2014 -b \/usr\/local\/bin v0.29.2<\/code><\/pre>\n\n\n\n<p><strong>Homebrew<br><\/strong>You can use homebrew on macOS and Linux.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>brew install aquasecurity\/trivy\/trivy<\/code><\/pre>\n\n\n\n<p><strong>Debian\/Ubuntu<br><\/strong>Add repository setting to \/etc\/apt\/sources.list.d.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt-get install wget apt-transport-https gnupg lsb-release wget -qO - https:\/\/aquasecurity.github.io\/trivy-repo\/deb\/public.key | sudo apt-key add - echo deb https:\/\/aquasecurity.github.io\/trivy-repo\/deb $(lsb_release -sc) main | sudo tee -a \/etc\/apt\/sources.list.d\/trivy.list sudo apt-get update sudo apt-get install trivy<\/code><\/pre>\n\n\n\n<p id=\"96f1\">You can find more installation types in Trivy documentation.<\/p>\n\n\n\n<h1 id=\"98a5\">How to Use Trivy?<\/h1>\n\n\n\n<p id=\"f09d\">Scan images for vulnerabilities and secrets<br>Simply specify an image name (and a tag).<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>trivy image &lt;image><\/code><\/pre>\n\n\n\n<p><em>to make it more specific.<\/em><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>trivy image --severity=HIGH,CRITICAL &lt;image><\/code><\/pre>\n\n\n\n<p id=\"dc09\">After implementing the Trivy in our deployment pipelines, we realized we need to make it more developer-friendly. Every time we had to check vulnerabilities for images, we had to find the relevant deployment and check the result of Trivy in the command prompt until we found a method which is to tell Trivy to output the results in a specific format i.e. JUnit. (Thanks to Liam Gulliver)<\/p>\n\n\n\n<p id=\"78ca\">An example of the command prompt table.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" width=\"1024\" height=\"596\" src=\"\/wp-content\/uploads\/2023\/03\/image-23-1024x596.png\" alt=\"\" class=\"wp-image-142\" srcset=\"\/wp-content\/uploads\/2023\/03\/image-23-1024x596.png 1024w, \/wp-content\/uploads\/2023\/03\/image-23-300x175.png 300w, \/wp-content\/uploads\/2023\/03\/image-23-768x447.png 768w, \/wp-content\/uploads\/2023\/03\/image-23-660x384.png 660w, \/wp-content\/uploads\/2023\/03\/image-23.png 1364w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><strong>Let\u2019s make it eye-catching!<\/strong><br>The azure pipeline can be like the screenshot below, but it can be modified optionally though.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" width=\"1024\" height=\"369\" src=\"\/wp-content\/uploads\/2023\/03\/image-24-1024x369.png\" alt=\"\" class=\"wp-image-143\" srcset=\"\/wp-content\/uploads\/2023\/03\/image-24-1024x369.png 1024w, \/wp-content\/uploads\/2023\/03\/image-24-300x108.png 300w, \/wp-content\/uploads\/2023\/03\/image-24-768x276.png 768w, \/wp-content\/uploads\/2023\/03\/image-24-660x238.png 660w, \/wp-content\/uploads\/2023\/03\/image-24.png 1356w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>In the first step, we have to specify the severity.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#you can change severity or add another level of vulnerability like LOW,MEDIUM if it's needed.\ntrivy image --severity HIGH,CRITICAL --format template --template \"@template\/junit.tpl\" -o junit-report-high-crit.xml &lt;image><\/code><\/pre>\n\n\n\n<p>In the second step, we generate a task that creates the output as a result.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>- task : PublishTestResult@2\n  inputs: \n   testResultsFormat: 'JUnit'\n   testResultsFiles: **\/junit-report-high-crit.xml\n   mergeTestResults: true\n   failTaskOnFailedTests: false\n   testRunTitle: 'Trivy - Low and Medium Vulnerabilities'\n  condition: 'always()'<\/code><\/pre>\n\n\n\n<p>When the build is done, there will be a tab called\u00a0<em>Tests.\u00a0<\/em>It will show all the pre-defined vulnerability levels on Azure DevOps.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" width=\"1024\" height=\"378\" src=\"\/wp-content\/uploads\/2023\/03\/image-25-1024x378.png\" alt=\"\" class=\"wp-image-144\" srcset=\"\/wp-content\/uploads\/2023\/03\/image-25-1024x378.png 1024w, \/wp-content\/uploads\/2023\/03\/image-25-300x111.png 300w, \/wp-content\/uploads\/2023\/03\/image-25-768x283.png 768w, \/wp-content\/uploads\/2023\/03\/image-25-660x243.png 660w, \/wp-content\/uploads\/2023\/03\/image-25.png 1356w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Details of a critical vulnerability can be shown below. It can be achieved just a simply clicking on one of them.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" width=\"1024\" height=\"833\" src=\"\/wp-content\/uploads\/2023\/03\/image-26-1024x833.png\" alt=\"\" class=\"wp-image-145\" srcset=\"\/wp-content\/uploads\/2023\/03\/image-26-1024x833.png 1024w, \/wp-content\/uploads\/2023\/03\/image-26-300x244.png 300w, \/wp-content\/uploads\/2023\/03\/image-26-768x625.png 768w, \/wp-content\/uploads\/2023\/03\/image-26-660x537.png 660w, \/wp-content\/uploads\/2023\/03\/image-26.png 1352w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p id=\"df92\">There is one last step for the job\u2019s done. A template file should be added to get the output. You can find all the templates in the Trivy repository in its documents.<\/p>\n\n\n\n<p id=\"aaff\">We put the<strong>\u00a0junit.tpl<\/strong>\u00a0file below in a template folder in our repository.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?xml version=\"1.0\" ?>\n&lt;testsuites>\n{{- range . -}}\n{{- $failures := len .Vulnerabilities }}\n    &lt;testsuite tests=\"1\" failures=\"{{ $failures }}\" time=\"\" name=\"{{  .Target }}\">\n    {{- if not (eq .Type \"\") }}\n        &lt;properties>\n            &lt;property name=\"type\" value=\"{{ .Type }}\">&lt;\/property>\n        &lt;\/properties>\n        {{- end -}}\n        {{ range .Vulnerabilities }}\n        &lt;testcase classname=\"{{ .PkgName }}-{{ .InstalledVersion }}\" name=\"&#91;{{ .Vulnerability.Severity }}] {{ .VulnerabilityID }}\" time=\"\">\n            &lt;failure message={{escapeXML .Title | printf \"%q\" }} type=\"description\">{{escapeXML .Description | printf \"%q\" }}&lt;\/failure>\n        &lt;\/testcase>\n    {{- end }}\n    &lt;\/testsuite>\n{{- end }}\n&lt;\/testsuites><\/code><\/pre>\n\n\n\n<p id=\"995d\">You can find report formats here:&nbsp;<a href=\"https:\/\/aquasecurity.github.io\/trivy\/v0.18.3\/examples\/report\/#default-templates\" rel=\"noreferrer noopener\" target=\"_blank\">https:\/\/aquasecurity.github.io\/trivy\/v0.18.3\/examples\/report\/#default-templates<\/a><\/p>\n\n\n\n<p id=\"f625\">Briefly, making the Trivy result is shown in a better way as easier as implementing it in your build pipelines.<\/p>\n\n\n\n<p>source: <a rel=\"noreferrer noopener\" href=\"https:\/\/lgulliver.github.io\/trivy-scan-results-to-azure-devops\/\" target=\"_blank\">https:\/\/lgulliver.github.io\/trivy-scan-results-to-azure-devops\/<\/a><\/p>\n\n\n\n<p>F\u0131rat<\/p>\n","protected":false},"excerpt":{"rendered":"<p>What is Trivy? Trivy (tri&nbsp;pronounced like&nbsp;trigger,&nbsp;vy&nbsp;pronounced like envy) is a simple and comprehensive scanner for&nbsp;Container Images,&nbsp;Rootfs,&nbsp;Filesystem, and&nbsp;Git Repositories&nbsp;to detect vulnerabilities. Why We Need Trivy? A short-term problem we face is checking vulnerabilities in our container images, Git Repos and Filesystems. Some research needed to be done to find a suitable open source vulnerability scanner. And\u2026 <span class=\"read-more\"><a href=\"https:\/\/blog.firatyasar.com\/?p=141\">Read More &raquo;<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":144,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=\/wp\/v2\/posts\/141"}],"collection":[{"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=141"}],"version-history":[{"count":1,"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=\/wp\/v2\/posts\/141\/revisions"}],"predecessor-version":[{"id":146,"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=\/wp\/v2\/posts\/141\/revisions\/146"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=\/wp\/v2\/media\/144"}],"wp:attachment":[{"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=141"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=141"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=141"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}