Trivy Security Scanner Tutorial 🚀

What is Trivy?

Trivy is a lightweight and powerful security scanner that detects vulnerabilities in:
✅ Container Images (Docker, Podman, etc.)
✅ Kubernetes Clusters (pods, deployments, namespaces, etc.)
✅ Infrastructure as Code (IaC) (Terraform, Helm, Kubernetes manifests, CloudFormation)
✅ Cloud Resources (AWS, Azure, GCP)
✅ Container Registries (ECR, GCR, Docker Hub, etc.)
✅ File System & Root Filesystem (rootfs, directories, local files)
✅ Code Repositories (GitHub, GitLab, Bitbucket, etc.)
✅ VM Images (AWS AMI, VMware, VirtualBox, etc.)
✅ Software Bill of Materials (SBOM) (CycloneDX, SPDX, etc.)

---

1️⃣ Scan Container Images

Scan a Local Docker Image

trivy image nginx:latest

Scan an Image from a Private Registry

trivy image --username USER --password PASSWORD my-private-registry.com/myimage:latest

Scan for Only High & Critical Vulnerabilities

trivy image --severity HIGH,CRITICAL nginx:latest

Save Scan Results to a File (JSON Format)

trivy image --format json --output image-report.json nginx:latest

---

2️⃣ Scan Kubernetes Clusters

Scan the Entire Kubernetes Cluster

trivy k8s cluster

Scan a Specific Kubernetes Resource

trivy k8s --namespace default deployment/nginx

Scan a Specific Kubernetes Node

trivy k8s node my-node-name

---

3️⃣ Scan Infrastructure as Code (IaC)

Scan Terraform, Kubernetes Manifests, Helm Charts, or CloudFormation

trivy config /path/to/terraform/

Scan a Kubernetes YAML Manifest

trivy config /path/to/k8s-deployment.yaml

---

4️⃣ Scan Cloud Resources

🔹 Scan AWS Security Resources

First, configure AWS CLI:

aws configure

Then, run:

trivy aws --region us-east-1

Scans AWS services (EC2, S3, IAM, RDS, etc.) for misconfigurations and vulnerabilities.

Scan Specific AWS Services

trivy aws s3
trivy aws iam
trivy aws ec2

🔹 Scan Azure Security Resources

Login to Azure:

az login

Then, scan:

trivy azure --subscription my-subscription-id

Scans Azure services (Storage, VM, IAM, etc.) for security misconfigurations.

---

5️⃣ Scan Container Registries

Amazon ECR

trivy image aws_account_id.dkr.ecr.region.amazonaws.com/my-image:latest

Google Container Registry (GCR)

trivy image gcr.io/project-id/my-image:latest

Docker Hub

trivy image docker.io/library/nginx:latest

---

6️⃣ Scan File System & Root Filesystem (rootfs)

Scan a Local Directory

trivy fs /path/to/directory

Scan the Root Filesystem

trivy rootfs /

---

7️⃣ Scan Code Repositories

Scan a GitHub Repository

trivy repo https://github.com/org/repo

Scan a Local Git Repository

trivy repo /path/to/repo

---

8️⃣ Scan VM Images

Trivy can scan VM images, including AWS AMI, VMware, VirtualBox.

Scan an AWS AMI Image

trivy vm aws --region us-east-1 --ami-id ami-12345678

Scan a VMware Image

trivy vm vmware --path /path/to/vm-image.vmdk

---

9️⃣ Generate a Software Bill of Materials (SBOM)

SBOM helps track all dependencies in an application.

Generate SBOM in SPDX Format

trivy image --format spdx --output sbom.spdx.json nginx:latest

Generate SBOM in CycloneDX Format

trivy image --format cyclonedx --output sbom.cdx.json nginx:latest

---

🔟 Integrating Trivy with AWS Security Hub

Enable AWS Security Hub

aws securityhub enable-security-hub

Ensure you have an IAM user/role with Security Hub permissions.

Install Trivy AWS Plugin

trivy plugin install github.com/aquasecurity/trivy-plugin-aqua

Scan AWS Services & Send Results to Security Hub

trivy aws --region us-east-1 --format aws --output securityhub.json
aws securityhub batch-import-findings --findings file://securityhub.json

Verify Results in AWS Security Hub

1️⃣ Open AWS Console → Security Hub
2️⃣ Navigate to Findings
3️⃣ Filter by "Product Name: Trivy"

---

1️⃣1️⃣ Automate AWS Security Scans with Lambda

Example AWS Lambda Code (Python)

import json
import subprocess
import boto3

def lambda_handler(event, context):
    region = "us-east-1"
    output_file = "/tmp/securityhub.json"

    # Run Trivy Scan
    cmd = f"trivy aws --region {region} --format aws --output {output_file}"
    subprocess.run(cmd, shell=True, check=True)

    # Upload findings to AWS Security Hub
    securityhub = boto3.client("securityhub", region_name=region)
    with open(output_file, "r") as f:
        findings = json.load(f)
        response = securityhub.batch_import_findings(Findings=findings)

    return {
        "statusCode": 200,
        "body": json.dumps(response)
    }

🚀 Trigger this Lambda using an AWS EventBridge rule to scan AWS security resources on a schedule!

---

1️⃣2️⃣ CI/CD Integration

GitHub Actions

uses: aquasecurity/trivy-action@master
with:
  scan-type: "aws"
  aws-region: "us-east-1"
  format: "aws"
  output: "securityhub.json"

Then, upload to AWS Security Hub using AWS CLI.

Jenkins Pipeline

pipeline {
    agent any
    stages {
        stage('Scan') {
            steps {
                sh 'trivy image my-image:latest'
            }
        }
    }
}

---

Why Use Trivy?

✅ Fast & lightweight security scanning
✅ Scans everything – containers, Kubernetes, IaC, registries, cloud, VM images
✅ Generates SBOM for dependency tracking
✅ Integrates with AWS Security Hub for centralized monitoring
✅ CI/CD-friendly – integrates with GitHub, Jenkins, GitLab, etc.
✅ Automates AWS security checks with Lambda

---