Trivy Setup on Jenkins CI/CD (Ubuntu)

Trivy is an open-source vulnerability scanner specifically designed for containerized environments such as Docker and Kubernetes. It helps users identify vulnerabilities in their container images, which are critical for ensuring the security of applications running in these environments.

Here are some key features and aspects of Trivy:

1. Container Image Scanning: Trivy scans container images to detect vulnerabilities in the operating system packages and other dependencies included within the image layers.
2. Database of Vulnerabilities: It leverages a database that includes information from multiple vulnerability databases such as CVE (Common Vulnerabilities and Exposures), NVD (National Vulnerability Database), and others, to provide comprehensive coverage.
3. Fast and Lightweight: Trivy is designed to be fast and lightweight, making it suitable for use in CI/CD pipelines and automated scanning processes.
4. Integration: It can be integrated into CI/CD workflows and container registries like Docker Hub, enabling automatic scanning of images before they are deployed.
5. Support for Multiple File Formats: Trivy supports scanning Docker images, OCI (Open Container Initiative) images, and Kubernetes manifests.
6. Ease of Use: It offers a command-line interface (CLI) that is straightforward to use, with options for detailed scanning reports and configurable severity levels.
7. Continuous Updates: The vulnerability database is regularly updated to ensure that the latest security threats are identified.

Overall, Trivy is a valuable tool for DevOps teams and developers working with containerized applications, helping them identify and mitigate security risks early in the development and deployment process.

Step 1:-Prerequisites

Jenkins Installation

Install Jenkins on Ubuntu 🚀

Step 2 :- Install Trivy

Install Trivy on the system where Jenkins is running

sudo apt-get install wget apt-transport-https gnupg lsb-release -y
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy -y

Jenkins Pipline example code is shown below.

 stage('Build docker image') {
            steps {  
                sh 'docker build -t $IMAGE_NAME:latest .'
            }
        }
        
       stage('Scan Docker Image') {
            steps {
                script {
                    // Run Trivy to scan the Docker image
                    def trivyOutput = sh(script: "trivy image $APP_NAME:latest", returnStdout: true).trim()

                    // Display Trivy scan results
                    println trivyOutput

                    // Check if vulnerabilities were found
                    if (trivyOutput.contains("Total: 0")) {
                        echo "No vulnerabilities found in the Docker image."
                    } else {
                        echo "Vulnerabilities found in the Docker image."
                        // You can take further actions here based on your requirements
                        // For example, failing the build if vulnerabilities are found
                        // error "Vulnerabilities found in the Docker image."
                    }
                }
            }
        }

Review Trivy Scan Results

Once the Jenkins job completes, navigate to the job’s build page.

Look for the Trivy scan results either in the console output