In this article, we will see how to install trivy vulnerability scanner on Ubuntu or Debian based systems. If you are using docker containers or microservices based environment then trivy is one of the best open source vulnerability scanner which can be employed to scan and test the images before deploying it to production to prevent any potential exploitation. Trivy is an easy to use vulnerability scanner specifically designed for container images. But at the same time it can also scan file systems, Git repositories, and Infrastructure as Code (IaC) configurations.
Its ease of use, speed, and integration capabilities make it an attractive choice for teams looking to incorporate security scanning into their development and operational practices. Here we will see how to install trivy on Ubuntu or Debian based systems.
Reasons to use trivy
- Ease of Use: Trivy is designed to be simple and easy to use. It requires no extensive configuration or setup and can be run with a single command. This lowers the barrier to entry for teams to start incorporating security scanning into their development and deployment workflows.
- High Accuracy: Trivy aims to reduce false positives and negatives in its scanning results. It achieves high accuracy by aggregating data from multiple sources and using its vulnerability database, which is regularly updated.
- Fast Scanning: Trivy is known for its fast scanning capabilities, which is particularly important when integrating security scanning into CI/CD pipelines to ensure that security checks do not significantly slow down development processes.
- Integration with CI/CD Pipelines: Trivy can be easily integrated into continuous integration and continuous deployment (CI/CD) pipelines, making it possible to automate vulnerability scanning as part of the build and deployment process. This helps in identifying and addressing vulnerabilities early in the development lifecycle.
- Comprehensive Reports: Trivy generates detailed and actionable reports that can help developers and security teams understand the vulnerabilities detected, their severity, and potential fixes or mitigations.
- Open Source and Actively Maintained: Being open-source, Trivy has the advantage of community support and contributions, ensuring that it stays up-to-date with the latest security threats and best practices.
- Support for Multiple Targets: Besides container images, Trivy can also scan file systems, Git repositories, and Infrastructure as Code (IaC) files, making it a versatile tool for scanning different aspects of an application's environment.
- Misconfiguration Detection: Trivy can identify misconfigurations in container images, Kubernetes, and IaC files, helping teams to not only fix vulnerabilities but also improve the overall security posture by adhering to best practices.
How to Install Trivy Vulnerability Scanner on Ubuntu or Debian
Step 1: Prerequisites
a) You should have a running
Ubuntu or Debian Server.
b) You should have
root access to run privileged commands.
c) You should have
apt-get utility available in your Server.
d) You should also have
snap utility available in your system in case you would like to install trivy from Snap store.
e) Minimum hardware configuration required for installation:-
- CPU: 1-2 cores. Trivy can benefit from multiple cores for concurrent scans, but it can run on a single-core machine for basic usage.
- Memory: 512MB to 1GB RAM. Memory usage may increase with the size of the images being scanned or the number of vulnerabilities found, so more complex scans or larger images may require more memory.
- Disk Space: At least 1GB of free disk space. Trivy needs space to store its vulnerability database and additional space might be required for caching or temporary files during scans.
Step 2: Update Your Server
To update the list of available packages and their versions, and then upgrades all installed packages to their latest versions, run
sudo apt update && sudo apt upgrade command as shown below.
itsfosslinux@ubuntu:~$ sudo apt update && sudo apt upgrade
Step 3: Install trivy
In the next step, you can choose to install trivy by using any of the below methods depending on your needs and requirements.
a) Using Repo
Before installing trivy, you need to install a set of tools which will be used to setup new repositories, downloading files from the internet, and ensuring secure communications with software repositories. To install, run
sudo apt-get install wget apt-transport-https gnupg lsb-release command as shown below.
itsfosslinux@ubuntu:~$ sudo apt-get install wget apt-transport-https gnupg lsb-release
Before adding repo to download trivy package, you need to download and add a GPG (GNU Privacy Guard) public key to your system's list of trusted keys using below
itsfosslinux@ubuntu:~$ wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
You can now add the trivy repo by using
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list command as shown below.
itsfosslinux@ubuntu:~$ echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
To refresh the list of available packages and their versions from the configured repositories, run
sudo apt update command as shown below.
itsfosslinux@ubuntu:~$ sudo apt-get update
Finally install the package from repo by using
sudo apt-get install trivy command as shown below. This will download and install the package along with all its required dependencies.
itsfosslinux@ubuntu:~$ sudo apt-get install trivy
b) Using Debian Package
You also have the option to install trivy from debian package. For that you need to visit the GitHub and download the latest debian package using
wget utility as shown below. This will download the package in current working directory.
itsfosslinux@ubuntu:~$ wget https://github.com/aquasecurity/trivy/releases/download/v0.18.3/trivy_0.18.3_Linux-64bit.deb
Then install that package by using
sudo dpkg -i trivy_0.18.3_Linux-64bit.deb command as shown below.
itsfosslinux@ubuntu:~$ sudo dpkg -i trivy_0.18.3_Linux-64bit.deb
c) Using Snap
Another method that you can employ to install trivy as a snap package. This method requires you to install the package by using
sudo snap install trivy command as shown below. It will download and install the latest version of trivy from Snap store.
itsfosslinux@ubuntu:~$ sudo snap install trivy
Step 4: Check Version
You can verify the current installed version by using
trivy --version command as shown below.
itsfosslinux@ubuntu:~$ trivy --version
Step 5: Verify Installation
You can also verify the installation status by using
dpkg -s trivy command as shown below. To know more about dpkg command usage, check 21+ Practical dpkg Command Examples for Linux Beginners.
itsfosslinux@ubuntu:~$ dpkg -s trivy
Step 6: Using Trivy
Now that trivy is installed, let's use it to scan a filesystem. Here we are scanning filesystem
trivy fs /home/itsfosslinux command as shown below.
itsfosslinux@ubuntu:~$ trivy fs /home/itsfosslinux
Similarly, if you have a container image to scan then you can use
trivy image <image_name> command. For example, to scan
debian image for known vulnerabilities in its packages, based on the databases trivy uses, which include several vulnerability databases like NVD, Debian Security Bug Tracker, Red Hat Security Data, and others, run
trivy image debian command as shown below.
itsfosslinux@ubuntu:~$ trivy image debian
Step 7: Check all available options
To display help information and usage instructions for Trivy, run
trivy --help command as shown below.
itsfosslinux@ubuntu:~$ trivy --help
Step 8: Uninstall Trivy
In case you no longer need Trivy for some reason, you can choose to remove it from your system by using any of the below methods depending on how you installed it.
a) Using apt or apt-get
If you installed trivy from repo or from debian package then for removal you have to run
sudo apt-get remove trivy command as shown below. But this will typically leaves behind configuration files and some data files. This behavior is intentional, to avoid losing potentially important data and custom configurations if you decide to reinstall the package later. If you want to remove Trivy along with its configuration files, you would use the
sudo apt-get purge trivy command instead.
itsfosslinux@ubuntu:~$ sudo apt-get remove trivy
b) Using snap
Snap packages are self-contained, which means they include most of their dependencies, so removing a snap package is generally a clean process that doesn't leave unused dependencies behind on the system.. To uninstall the Trivy snap package from your system, along with any data associated with it run
sudo snap remove trivy command as shown below.
itsfosslinux@ubuntu:~$ sudo snap remove trivy