Docker Container Security: Scanning for Vulnerabilities with Trivy

Docker Container Security: Scanning for Vulnerabilities with Trivy

In Uncategorized by dbtech

In our last video we talked about adding a bit of security to our internet browsing by adding DNSSEC to our Pi-Hole and AdGuard configs.

In this video we’re going to continute talking about security, but we’re going to bring things closer to our actual homelabs and we’re going to talk about doing security audits on the docker containers we’re thinking of deploying in our homelabs using a solution called Trivy.

Here is an additional video to correct a mistake I made in the previous video:

So, a couple of things before we continue here:

First, I want to thank viewer TitanKingMedia for bringing Trivy to my attention. I probably wouldn’t have known about it without their comment.

Second, This video is in no way meant to throw shade at any developers. This video is just meant as a way to show how you can look at known vulnerabilities of the Docker containers that you’re getting ready to deploy.

From Trivy’s Github:

Trivy is a comprehensive and versatile security scanner. Trivy has scanners that look for security issues, and targets where it can find those issues.

Targets can scan:

  • Container Image
  • Filesystem
  • Git Repository (remote)
  • Virtual Machine Image
  • Kubernetes
  • AWS

Now, with that said, we’re just going to be taking a look at scanning Docker containers in this video, but aquasecurity has a great resource of information available to learn how to scan other things.

Trivy supports most popular programming languages, operating systems, and platforms. For a complete list, see the Scanning Coverage page in their docs.

As per usual, I’ll have links to everything below.

Now there are a couple of different ways we could go about using Trivy. One method involves setting up VM, Proxmox container, or similar and installing Trivy as a bare metal application.

The other method is more inline with what we do on the channel here, and that’s running Trivy as a Docker container.

I like this method because it’s quick and simple.

Trivy does recommend setting up a cache for the Trivy Docker container to store bits of information, so that will be part of our Docker CLI command and i’ll be sure to show that as we’re digging through some containers.

In this video we’re just going to take a look at 4 different containers from 4 different developers so we can see what we can find out about the containers’ vulernabilities.

Here are the examples I used in the video so you can check them out for yourself.

LinuxServer’s Snipe-IT

docker run -v /var/run/docker.sock:/var/run/docker.sock -v /home/docker/trivy/Caches:/root/.cache/ aquasec/trivy image linuxserver/snipe-it:latest


docker run -v /var/run/docker.sock:/var/run/docker.sock -v /home/docker/trivy/Caches:/root/.cache/ aquasec/trivy image

Pi-Hole’s Official Image

docker run -v /var/run/docker.sock:/var/run/docker.sock -v /home/docker/trivy/Caches:/root/.cache/ aquasec/trivy image pihole/pihole:latest

AdGuard’s Official Image

docker run -v /var/run/docker.sock:/var/run/docker.sock -v /home/docker/trivy/Caches:/root/.cache/ aquasec/trivy image adguard/adguardhome:latest

In each of these examples we’ll get varied results based on the vulnerabilities found by Trivy.

It’s important to note that not all vulnerabilities are guaranteed show-stoppers, but each vulnerability is worth investigating to find out just how much it jeopardizes your homelab.