Github security scanning with trivy

Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action

Modern-day CI/CD pipelines enable new security approaches and transform the DevOps landscape to accommodate a variety of safety nets into the software supply chain. GitHub Actions is an example of one of those safety nets, making it possible to perform a variety of pipeline steps (build, test, and deploy) from within GitHub. We saw this as an opportunity to seamlessly incorporate container image security without creating friction. To do this, we combined the flexibility of GitHub Actions with the high performance of our easy-to-use Trivy vulnerability scanner in the Aqua Security Trivy GitHub Action

This Action integrates with GitHub’s new code scanning feature so that you can read vulnerability scanning results for your images directly in the GitHub code scanning UI.

Visualizing Vulnerability Results with GitHub Code Scanning

With the launch of GitHub code scanning, it’s easy to see security issues through a single dashboard integrated directly in the GitHub UI, and it makes sense for container image vulnerability issues to be included in this view. You can read more about the code scanning capabilities on GitHub’s website.

Here's an example of how to configure a Trivy Action to send results to the GitHub code scanning dashboard:

Image vulnerability scanning

The Trivy Action performs four simple steps. First, we check out the code. The second step builds the code into a docker image. We then use Trivy to scan this docker image for vulnerabilities and finish by uploading the results into GitHub.

Since GitHub code scanning supports the industry-standard SARIF format for vulnerability reports, we’ve also added support to Trivy to output results in the SARIF format for consumption.

Once Trivy Action finishes and sends results to the GitHub code scanning dashboard, here’s how it looks:

code-scan-2

You can also drill down into the various vulnerabilities that were found and get specific details for each one of them as shown below:

Image vulnerability scanning

The vulnerabilities are tagged by Severity level and package. This makes it easier for you to filter and prioritize a subset of vulnerabilities that you might act on first.

Image vulnerability scanning

GitHub code scanning also maintains a track record of past vulnerabilities that you can access for any particular project. This can help you track down where/when the vulnerability was first introduced, if it was fixed, and whether it was re-introduced as a regression.

Image vulnerability scanning

Trying the Trivy GitHub Action

The Aqua Security Trivy GitHub Action is available today through the GitHub Marketplace.

Trivy GitHub Action

We’ve also open-sourced the Trivy Action code on our GitHub repo.

We look forward to you using this on your projects. As always, we welcome any feedback or pull requests that you may have!

Picture of Simar Singh

Simar Singh

Simar is an Open Source Engineer at Aqua. He works on projects that improve container security. He is also an avid open source contributor outside of work and currently maintains a few projects. While not in front of a computer screen, he likes to row competitively, ride a bike and travel.

Container Security, Open Source, Image Vulnerability Scanning