Andrew Harry

andrewharry.com

Keeping software safe

In today’s fast-paced development world, keeping your software secure is a constant battle. Vulnerable dependencies can open the door to serious problems, but thankfully, tools like Trivy can help.

This powerful, open-source scanner, backed by Aqua Security, makes identifying and managing these risks easier than ever.

One challenge I find when setting up Trivy was finding clear instructions for scanning local source code using a Docker or Podman image. Most examples focus on scanning existing images, leaving developers to figure out the local scanning process on their own.

In this post, I will show you how to set it up in just a few minutes.

Running Trivy with Podman (or Docker).

The following batch file uses podman but you can easily swap that for docker by replacing “podman” with “docker”. After scanning, the batch script will save the report file locally in the current directory.

The batch file uses a hardcoded ROOT_DIR for simplicity - modify this to suit your needs.

  @echo off

  set VERSION="latest"
  set ROOT_DIR=C:Trivy
  set CACHE_DIR="%ROOT_DIR%cache"
  set REPORT_FILE="results.md"

  IF NOT EXIST %CACHE_DIR% (
      echo Initially creating persistent directory: %CACHE_DIR%
      mkdir %CACHE_DIR%
  )

  IF EXIST %REPORT_FILE% (
      del %REPORT_FILE%
  )

  rem Make sure we are using the latest version
  podman pull aquasec/trivy:%VERSION%

  podman run -it --rm ^
      -v %CD%:/src ^
      -v %CACHE_DIR%:/cache ^
      aquasec/trivy:%VERSION% ^
      --cache-dir /cache ^
      --format table --output /src/%REPORT_FILE% ^
      fs /src     

  echo "Trivy scan completed."
  pause

  rem Opens the report file with VSCode
  code %REPORT_FILE%

Running the script

Make sure the above batch file is saved in your path and then simply navigate to the source code’s root folder and open a command prompt. From there run the following command: trivy-scan.bat

This will download the latest vulnerability database into your nominated cache directory (CACHE_DIR). Then it will then scan the source for any issues.

The report will automatically open in VS Code upon completion!

Example Report

MyTestProject/packages.config (nuget)
======================================================================================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

┌─────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│     Library     │    Vulnerability    │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├─────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ MimeKit         │ GHSA-gmc6-fwg3-75m5 │ HIGH     │ fixed  │ 3.3.0             │ 4.7.1         │ Mimekit has vulnerable dependency that can lead to denial of │
│                 │                     │          │        │                   │               │ service                                                      │
│                 │                     │          │        │                   │               │ https://github.com/advisories/GHSA-gmc6-fwg3-75m5            │
├─────────────────┼─────────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ Newtonsoft.Json │ CVE-2024-21907      │          │        │ 9.0.1             │ 13.0.1        │ Improper Handling of Exceptional Conditions in               │
│                 │                     │          │        │                   │               │ Newtonsoft.Json                                              │
│                 │                     │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-21907                   │
└─────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

Contents