grype VS trivy

Grype is a popular open source CVE scanner that scans for known vulnerabilities in container images and filesystems. At the time of this writing, the latest release is 0.80.1 and you can find packages for most operating systems in their releases page.

CycloneDX tools offer packages for each and every programming language. [1]

The dependency track project accumulates all dependency vulnerabilities in a dashboard. [2]

Container SBOMs can be generated with syft and grype [3] [4]

[1] https://github.com/CycloneDX

[2] https://github.com/DependencyTrack

[3] https://github.com/anchore/syft

[4] https://github.com/anchore/grype

Trivy Operator : A simple and comprehensive vulnerability scanner for containers and other artifacts. It detects vulnerabilities of OS packages (Alpine, Debian, CentOS, etc.) and application dependencies (pip, npm, yarn, composer, etc.) (Alternatives : Grype, Snyk, Clair, Anchore, Twistlock)

Besides pointing pentester tools like metasploit at yourself, there are some nice scanners out there.

https://github.com/quay/clair

https://github.com/anchore/grype/

Using Grype:

In the lab to follow, we'll see how vulnerability scanning can be conveniently achieved with Grype and how various systematic techniques can be applied to start securing our microservices at the container image level.

Trivy (scan for vulnerabilities): https://github.com/aquasecurity/trivy

That particular structure hasn't really taken off, but the general idea of having unique-ish token formats that can be mapped back to a provider is becoming more popular.

Trivy has a pretty good collection of examples that is used for its secret scanning functionality, https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/se....

Software Bill of Materials (SBOM): Knowing what’s in your software is the new cool. Tools like Syft and Trivy can generate SBOMs as part of your CI/CD pipeline, enhancing supply chain security.

Trivy: security scanner for IaC and dependencies

Prior to deploying kubernetes manifest files to EKS Cluster, supplementary steps need to be added to prevent security and misconfiguration issue by using both *Checkov *and Trivy . Also, we will use seperate ArgoCD account from admin user that we’ve used in the previous lab. This will follow ArgoCD RBAC rule to secure ArgoCD and EKS cluster ultimately.

Regularly scan your Docker images for vulnerabilities using tools like Trivy or Clair.

Since I'm working on a Windows machine, I went straight to the Trivy website (https://aquasecurity.github.io/trivy/) to download the latest release. The official website is the best place to get the latest version of Trivy. This direct approach gives me more control over the installation process.

There are also pre-built packages available for various Linux distros, or grab the binary from GitHub releases: https://github.com/aquasecurity/trivy/releases

name: CI on: [push, pull_request] jobs: trivy: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v2 - name: Set up Trivy run: | sudo apt-get update && sudo apt-get install -y wget wget https://github.com/aquasecurity/trivy/releases/download/v0.28.1/trivy_0.28.1_Linux-64bit.deb sudo dpkg -i trivy_0.28.1_Linux-64bit.deb - name: Scan Docker image run: | docker build -t my-docker-image:latest . trivy image my-docker-image:latest - name: Scan Kubernetes manifests run: | trivy k8s --file /path/to/manifest.yaml