Golang Scanning with Trivy: Detect Vulnerabilities Accurately
Picture of Rory McCune
Rory McCune
 November 09, 2021

Golang Scanning with Trivy: Detect Vulnerabilities Accurately

A standard piece of security advice is to reduce the size of your container images, usually by using statically compiled binaries in a scratch or distroless container. However, that complicates container vulnerability scanning, because it becomes impossible to determine the versions of software installed in a container image. Fortunately, if you’re using Trivy, a popular open source scanner, a couple of useful features can help solve this problem.

Golang binary scanning

The first option is to use Trivy’s Golang binary scanning feature. This enables Trivy to look inside compiled Golang programs and extract module information, which then allows for vulnerability analysis to take place.

Trivy takes advantage of the fact that, by default, the Golang compiler will embed module information into its binaries.

As an example of this scanning, a container image with several Golang programs will produce output like this:

trivy i raesene/alpine-containertools

output of Trivy scan of a container image

This shows the location of the binary scanned and the resulting vulnerability information.

Of course, there are times when compiled binaries won’t provide the information we need. For example, the Caddy project strips module information from their released binaries, so if we scan their container image, we’ll get something like this:

trivy output from scanning the caddy image

In cases like this, we need another approach.

Scanning GitHub repositories

When it’s not possible to scan binary programs, but the source code is available online, you can use Trivy to scan the repository to get a view of vulnerable library versions. For the Caddy project, this would look like this:

trivy repo https://github.com/caddyserver/caddy

Trivy scan of the caddy github repository

This approach is scanning the go.sum file found in the repository and looking at the version information there.

Summary

When implementing security measures like minimizing the size of container images, it’s always important to consider the trade-offs. In some cases, it may be necessary to change the approach to vulnerability scanning to ensure that vulnerabilities are still detected appropriately. As we saw, with Trivy, this process is easy to handle.

New call-to-action
Picture of Rory McCune

Rory McCune
Rory is a Cloud Native Security Advocate at Aqua. He has worked in the Information and IT Security arena for the last 20 years in a variety of roles. He is an active member of the container security community having delivered presentations at a variety of IT and Information security conferences. He has also presented at major containerization conferences and is an author of the CIS Benchmarks for Docker and Kubernetes and main author of the Mastering Container Security training course which has been delivered at numerous industry conferences including Blackhat USA. When he's not working, Rory can generally be found out walking and enjoying the scenery of the Scottish highlands.

Container Security, Open Source, DevSecOps, Image Vulnerability Scanning

Subscribe to Email Updates

Popular Posts

Filter by Topic

Show more...

    Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and accelerate their digital transformations. The Aqua Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads, wherever they are deployed.

    Aqua customers are among the world’s largest enterprises in financial services, software, media, manufacturing and retail, with implementations across a broad range of cloud providers and modern technology stacks spanning containers, serverless functions and cloud VMs.

Copyright © 2021 Aqua Security Software Ltd.