Keeping software safe
In today’s fast-paced development world, keeping your software secure is a constant battle. Vulnerable dependencies can open the door to serious problems, but thankfully, tools like Trivy can help.
This powerful, open-source scanner, backed by Aqua Security, makes identifying and managing these risks easier than ever.
One challenge I find when setting up Trivy was finding clear instructions for scanning local source code using a Docker or Podman image. Most examples focus on scanning existing images, leaving developers to figure out the local scanning process on their own.
In this post, I will show you how to set it up in just a few minutes.
Running Trivy with Podman (or Docker).
The following batch file uses podman
but you can easily swap that for docker
by replacing “podman” with “docker”.
After scanning, the batch script will save the report file locally in the current directory.
The batch file uses a hardcoded
ROOT_DIR
for simplicity - modify this to suit your needs.
@echo off
set VERSION="latest"
set ROOT_DIR=C:Trivy
set CACHE_DIR="%ROOT_DIR%cache"
set REPORT_FILE="results.md"
IF NOT EXIST %CACHE_DIR% (
echo Initially creating persistent directory: %CACHE_DIR%
mkdir %CACHE_DIR%
)
IF EXIST %REPORT_FILE% (
del %REPORT_FILE%
)
rem Make sure we are using the latest version
podman pull aquasec/trivy:%VERSION%
podman run -it --rm ^
-v %CD%:/src ^
-v %CACHE_DIR%:/cache ^
aquasec/trivy:%VERSION% ^
--cache-dir /cache ^
--format table --output /src/%REPORT_FILE% ^
fs /src
echo "Trivy scan completed."
pause
rem Opens the report file with VSCode
code %REPORT_FILE%
Running the script
Make sure the above batch file is saved in your path and then simply navigate to the source code’s root folder and open a command prompt.
From there run the following command: trivy-scan.bat
This will download the latest vulnerability database into your nominated cache directory (CACHE_DIR
).
Then it will then scan the source for any issues.
The report will automatically open in VS Code upon completion!
Example Report
MyTestProject/packages.config (nuget)
======================================================================================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)
┌─────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ MimeKit │ GHSA-gmc6-fwg3-75m5 │ HIGH │ fixed │ 3.3.0 │ 4.7.1 │ Mimekit has vulnerable dependency that can lead to denial of │
│ │ │ │ │ │ │ service │
│ │ │ │ │ │ │ https://github.com/advisories/GHSA-gmc6-fwg3-75m5 │
├─────────────────┼─────────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ Newtonsoft.Json │ CVE-2024-21907 │ │ │ 9.0.1 │ 13.0.1 │ Improper Handling of Exceptional Conditions in │
│ │ │ │ │ │ │ Newtonsoft.Json │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-21907 │
└─────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘