Aqua Security, the pure-play cloud native security pioneer, announces that Aqua’s open source Trivy vulnerability scanner is now available as an Aqua Security Trivy GitHub Action. The action integrates with GitHub code scanning so developers can build container image scanning into their GitHub Actions workflow to find and eliminate vulnerabilities before they reach production. “Code scanning was purpose-built with extensibility in mind,” said John Leon, VP of Business Development at GitHub. “We continue to expand our security ecosystem with solutions like Aqua, so developers can work with the security scanning technologies they want, all within the GitHub-native experience they love. Together, we’re making security easier for everyone.” Actionable security reviews GitHub code scanning integrates with GitHub Actions or users’ existing CI/CD environments and scans code as it’s created, surfacing actionable security reviews within pull requests and other GitHub experiences. Developers must avoid deploying images that might harbor significant CVEs that attackers can exploit The Aqua Security Trivy Action integration finds vulnerabilities (CVEs) in the OS package dependencies and language libraries built into a container image. Developers must avoid deploying images that might harbor significant CVEs that attackers can exploit. The Trivy Action alerts developers to known CVEs via the GitHub user interface to quickly and easily update these dependencies and eliminate the risk. Ingesting security information The Trivy Action generates output in a format called SARIF that GitHub supports for ingesting security information. The output from an image scan appears right in the GitHub code scanning UI, specifically under a project repository’s Security tab. “Developers are moving more applications into production, so we’re focused on helping them build securely without slowing down innovation,” said Liz Rice, VP of Open Source Engineering at Aqua. “The new Aqua Security Trivy GitHub Action brings container security scanning right into the GitHub interface that developers know and love.” The new Aqua Security Trivy Action is available on the GitHub Marketplace now. Follow this link to view a sample workflow of building a container image from a Dockerfile in the repository and running the Aqua Security Trivy code scanning over it.
Aqua Security, the platform provider for securing cloud native applications and infrastructure, announced that its open source Trivy vulnerability scanner is now available as an integrated option in several widely deployed cloud native platforms. Trivy is a comprehensive and easy-to-use open source vulnerability scanner for container images. Since its introduction 10 months ago, the project has gained a broad following among open source community members who have tagged it with more than 3,300 GitHub stars. Unlike other open source scanners, Trivy covers both OS packages and language-specific dependencies and is extremely easy to integrate into organizations’ software development pipelines. Integrated scanning option Trivy is now available under the Apache 2 license, allowing royalty-free use, modification, and distribution of the software. Trivy will be included as the default scanner in Harbor, a popular open source container image registry project under the Cloud Native Computing Foundation, and in addition, the widely used container platforms Docker and Mirantis Docker Enterprise will make Trivy available as an integrated scanning option for their deployments. “Trivy takes container image scanning to higher levels of usability and performance. With frequent feature and vulnerability database updates and its comprehensive vulnerability scanning, it is the perfect complement to Harbor. In fact, we made it the default scanner option for Harbor registry users in the upcoming v2.0 release because of these capabilities,” said Michael Michael, Harbor Maintainer and Director of Product Management at VMware. “With Trivy, Harbor users can easily and quickly scan their container images for vulnerabilities on an ongoing basis.” Flexible container management platform technology After evaluating several leading options for open source vulnerability scanning, Trivy really stood out" “Trivy is a container image scanner that is so incredibly easy to use and fast to scan,” added Justin Cormack, Security Lead at Docker and a member of the CNCF Technical Oversight Committee. “It suddenly means that vulnerability scanning becomes easy to integrate into your daily routine, scripts and CI, which is the way it should be” "After evaluating several leading options for open source vulnerability scanning, Trivy really stood out,” said Milind Gadre, VP of Engineering at Mirantis. “Mirantis will enable Trivy as an integrated component that's verified as compatible with the Docker Trusted Registry included in our Docker Enterprise solution. We're extremely excited to extend our leadership in secure, flexible container management platform technology for organizations with challenging security and compliance concerns.” Cloud security posture management Liz Rice, VP Open Source Engineering at Aqua and Chair of the Cloud Native Computing Foundation’s (CNCF) Technical Oversight Committee (TOC) leads the team of dedicated open source developers at Aqua who work on the company’s open source software and also actively contribute to other community projects. “Our team is excited by the level of interest in and adoption of Trivy, and this increases our determination to make Trivy the most widely adopted open source solution for container vulnerability scanning.” said Rice. Trivy is part of Aqua’s portfolio of open source cloud native security projects, including: kube-bench: Winner of the 2018 InfoWorld Bossie Awards, kube-bench automatically determines whether Kubernetes is configured according to recommendations in the CIS Kubernetes benchmark. kube-hunter: Penetration testing tool searches for weaknesses in Kubernetes clusters so administrators, operators and security teams can identify and address any issues before attackers are able to exploit them. Tracee: Traces events in containers using eBPF, a kernel technology that lets users run custom programs within the kernel itself. CloudSploit: Provides cloud security posture management (CSPM), evaluating cloud account and service configurations against security best practices. kubectl-who-can: An extension to the standard kubectl tool that simplifies queries about Kubernetes role-based access control (RBAC) configuration.