Aqua Blog

Golang Scanning with Trivy: Detect Vulnerabilities Accurately

Rory McCune
November 9, 2021
Golang Scanning with Trivy: Detect Vulnerabilities Accurately

A standard piece of security advice is to reduce the size of your container images, usually by using statically compiled binaries in a scratch or distroless container. However, that complicates container vulnerability scanning, because it becomes impossible to determine the versions of software installed in a container image. Fortunately, if you’re using Trivy, a popular open source scanner, a couple of useful features can help solve this problem.

Golang binary scanning

The first option is to use Trivy’s Golang binary scanning feature. This enables Trivy to look inside compiled Golang programs and extract module information, which then allows for vulnerability analysis to take place.

Trivy takes advantage of the fact that, by default, the Golang compiler will embed module information into its binaries.

As an example of this scanning, a container image with several Golang programs will produce output like this:

trivy i raesene/alpine-containertools

output of Trivy scan of a container image

This shows the location of the binary scanned and the resulting vulnerability information.

Of course, there are times when compiled binaries won’t provide the information we need. For example, the Caddy project strips module information from their released binaries, so if we scan their container image, we’ll get something like this:

trivy output from scanning the caddy image

In cases like this, we need another approach.

Scanning GitHub repositories

When it’s not possible to scan binary programs, but the source code is available online, you can use Trivy to scan the repository to get a view of vulnerable library versions. For the Caddy project, this would look like this:

trivy repo https://github.com/caddyserver/caddy

Trivy scan of the caddy github repository

This approach is scanning the go.sum file found in the repository and looking at the version information there.

Summary

When implementing security measures like minimizing the size of container images, it’s always important to consider the trade-offs. In some cases, it may be necessary to change the approach to vulnerability scanning to ensure that vulnerabilities are still detected appropriately. As we saw, with Trivy, this process is easy to handle.

Published under: AQUA OPEN SOURCE

Tags: , , ,

Rory McCune
Rory was a Cloud Native Security Advocate at Aqua. He has worked in the Information and IT Security arena for the last 20 years in a variety of roles. He is an active member of the container security community having delivered presentations at a variety of IT and Information security conferences. He has also presented at major containerization conferences and is an author of the CIS Benchmarks for Docker and Kubernetes and main author of the Mastering Container Security training course which has been delivered at numerous industry conferences including Blackhat USA.
Need to secure enterprise workloads?
Aqua Cloud Native Application Protection Platform (CNAPP)
Go cloud native with the experts!
Get Demo
Aqua Security stops cloud native attacks across the application lifecycle. As the pioneer in cloud native security, Aqua helps customers reduce risk while building the future of their businesses. The Aqua Platform is the industry's most integrated Cloud Native Application Protection Platform (CNAPP), protecting the application lifecycle from code to cloud and back. Founded in 2015, Aqua is headquartered in Boston, MA and Ramat Gan, IL with Fortune 1000 customers in over 40 countries.
Read Aqua Security reviews on G2

Use Cases

Environments

Partners

Resources

About Us

Get in Touch

Products

Get Started
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use | Cookie Settings |  
Accessibility Tools
Normal text size Medium text size Large text size
Normal display Black & White display High contrast display
Stop transitions and animations Underline Links