Trivy’s Journey Continues: First Unified Scanner for Cloud Native Security
Over the past few years, the Aqua Trivy scanner has become a must-have tool in many developers’ toolkits, enabling them to easily shift left and secure artifacts before production. With a tremendous community of over 100,000 users and contributors from leading tech companies, Trivy is the most popular open source scanner in the world.
At the same time, it has clearly grown beyond the initial vision of an open source vulnerability scanner. Today, we’re excited for the next stage in Trivy’s journey as it becomes the first unified scanner for cloud native ecosystems. With a load of new capabilities, Trivy now allows you to scan a broad range of targets across the software development life cycle (SDLC).
Shifting to a unified experience
Driven by the community of Trivy users and their requests, in the last year we added support for Infrastructure as Code (IaC) scanning for Docker, Kubernetes, Terraform, and AWS CloudFormation templates. Trivy also now integrates directly with Visual Studio Code, JetBrains, and VIM integrated developer environments (IDEs) so that developers can scan for and fix vulnerabilities and other issues before committing code. These changes both allow users to shift security further left into the coding process and to solve for a broader set of security issues in the build.
The first unified scanner for cloud native security
This week at KubeCon EU, we announced new capabilities in Trivy and an all-new version for enterprise users, Aqua Trivy Premium. This news represents the realization of a shift in user preferences toward more integrated, less disparate security tooling across the entire SDLC. Yes, vulnerability scanning is important. But shift left should be about securing the entire build, and with that, scanning for much more than vulnerabilities in container images. That is why we've added many more scan targets in cloud native environments, including source code, repositories, file systems, artifact registries, Dockerfiles, and Kubernetes manifests.
And that’s why we've added these capabilities into the same, easy-to-use solution, so teams can get better security without giving themselves more work. Consolidating scanning into a single, easy-to-use tool simplifies the developer, DevOps, and DevSecOps experience and leads to better efficiency. Through consolidation and deeper integration into existing IDEs and CI/CD tools, users can ensure the security of their cloud native applications across their code, build, and deploy processes as well as achieve the same scanning on runtime environments.
What’s new in Trivy Open Source
So, what are the new features available in Trivy today? Here are a few highlights.
Kubernetes security scanning
Trivy can now scan running Kubernetes clusters and resources for security issues in the same frictionless way you might expect from Trivy’s scanning before runtime. Just point it at your Kubernetes cluster, and it will fetch all resources and scan them for you.
With the Kubernetes operator, you can automatically trigger scans in response to key changes in the state of your cluster. For example, you can initiate a vulnerability scan when a new pod is created. This eliminates manual intervention for runtime scanning, and security reports are generated as Kubernetes custom resources.
Support for software bills of materials (SBOMs)
In a complex DevSecOps environment, with multiple teams and rapid release cycles, it’s challenging to have full visibility into the potential risks in the software supply chain. SBOMs can help organizations reduce those risks. Now with Trivy, you can easily add SBOM generation to your development process and improve the security of your applications without the need to use additional tools.
Detection of sensitive data
Hard-coded secrets, like passwords, in code and containers represent a major security risk to organizations. When exposed and exploited by threat actors, they can undermine the authentication controls put in place to limit access to systems and services. Even if developers adhere to internal best practices, the use of third-party code and images can often introduce hard-coded secrets. Now with Trivy Open Source, you can scan targets for hard-coded secrets. Trivy scans any container image, filesystem, or Git repository for exposed passwords, API keys, or tokens.
Aqua Trivy for Docker Desktop
Following the shift-left security principle, artifacts and dependencies should be scanned for vulnerabilities and other risks as early in the SDLC as possible. With the new Aqua Trivy for Docker Desktop integration, you can easily scan any number of container images directly through the Docker Dashboard.
All-new Aqua Trivy Premium
Building on the popularity of the open source project Trivy, Trivy Premium is now available as part of the Aqua Cloud Native Application Protection Platform (CNAPP). Having a common scan engine between our open source and commercial offerings allows you to have consistent scan results no matter which version you use.
If you start out with Trivy Open Source you can access customer support or centralized management when you need it via Trivy Premium in the Aqua platform. You also unlock access and interoperability with other Aqua platform capabilities such as assurance policies, which allow you to declare images compliant or non-compliant based on your defined policy.
In addition, you can take advantage of automated or scheduled scans, data retention for scan results, and interoperability with other modules on the Aqua platform such as Cloud Security Posture Management (CSPM) and runtime protection.
Below are more capabilities exclusive to Trivy Premium.
Accuracy of results
To close the gap in vulnerability detection produced when binaries are either not listed in or installed by package managers, Trivy Premium can detect vulnerabilities in more than 500 kinds of standalone binaries. These include Apache, Gzip, Httpd, Java, Mongo, MySQL, Nginx, Node, PHP, Postgres, Python, Redis, Ruby, SSL, and SVN.
Trivy Premium also has access to a groomed database of vulnerabilities and other threat intelligence.
Like vulnerabilities, malware embedded in container images represents a significant risk to organizations. Trivy Premium can scan for malware in container images to stop known threats.
We’re excited for users of Trivy to begin (and continue) their journeys with less disparate tools and more integrated, better security overall for their cloud native applications. We look forward to you using these new Trivy capabilities and welcome your feedback.
If you’re new to Trivy, you can get started with it today and discover how easy it is to use. If you think the enterprise version might be better suited to your needs, you can get started with Trivy Premium when you sign up for a free trial of the Aqua platform.