0
0
Kubernetesdevops~5 mins

Image security scanning in Kubernetes - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
Image security scanning checks container images for vulnerabilities before running them. It helps prevent security risks by finding weak spots early.
When you want to ensure your container images do not have known security issues before deployment
When you need to comply with company security policies for container usage
When you want to automate vulnerability checks in your CI/CD pipeline
When you want to avoid running containers with outdated or unsafe software
When you want to get reports on image risks to decide if an update is needed
Config File - trivy-config.yaml
trivy-config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: trivy-config
  namespace: default
data:
  TRIVY_SEVERITY: "CRITICAL,HIGH"
  TRIVY_IGNORE_UNFIXED: "true"
  TRIVY_TIMEOUT: "5m"

This ConfigMap sets up Trivy scanner options:

  • TRIVY_SEVERITY: Only report critical and high severity issues.
  • TRIVY_IGNORE_UNFIXED: Ignore vulnerabilities without fixes yet.
  • TRIVY_TIMEOUT: Limit scan time to 5 minutes.
Commands
Create a ConfigMap in Kubernetes to store Trivy scanner settings for severity, ignoring unfixed issues, and timeout.
Terminal
kubectl create configmap trivy-config --from-literal=TRIVY_SEVERITY=CRITICAL,HIGH --from-literal=TRIVY_IGNORE_UNFIXED=true --from-literal=TRIVY_TIMEOUT=5m
Expected OutputExpected
configmap/trivy-config created
--from-literal - Add key-value pairs directly to the ConfigMap
Run Trivy to scan the nginx:1.23 container image for critical and high severity vulnerabilities, ignoring unfixed ones, with a 5-minute timeout.
Terminal
trivy image --severity CRITICAL,HIGH --ignore-unfixed --timeout 5m nginx:1.23
Expected OutputExpected
2024-06-01T12:00:00.000Z INFO Detected OS: debian 2024-06-01T12:00:00.500Z INFO Number of vulnerabilities: 2 nginx:1.23 (debian 11.6) +------------------+------------------+----------+-------------------+---------------+--------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +------------------+------------------+----------+-------------------+---------------+--------------------------------+ | libssl1.1 | CVE-2023-12345 | CRITICAL | 1.1.1d-0+deb11u3 | 1.1.1d-0+deb11u4 | OpenSSL vulnerability | | curl | CVE-2023-67890 | HIGH | 7.74.0-1.3+deb11u1| 7.74.0-1.3+deb11u2| Curl security issue | +------------------+------------------+----------+-------------------+---------------+--------------------------------+
--severity - Filter vulnerabilities by severity level
--ignore-unfixed - Skip vulnerabilities without fixes
--timeout - Set maximum scan duration
Run Trivy scanner as a temporary Kubernetes pod to scan the nginx:1.23 image with the same options, then remove the pod after completion.
Terminal
kubectl run trivy-scan --image=aquasec/trivy:latest --restart=Never --rm -it -- trivy image nginx:1.23 --severity CRITICAL,HIGH --ignore-unfixed --timeout 5m
Expected OutputExpected
Pod/trivy-scan created 2024-06-01T12:01:00.000Z INFO Detected OS: debian 2024-06-01T12:01:00.500Z INFO Number of vulnerabilities: 2 nginx:1.23 (debian 11.6) +------------------+------------------+----------+-------------------+---------------+--------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +------------------+------------------+----------+-------------------+---------------+--------------------------------+ | libssl1.1 | CVE-2023-12345 | CRITICAL | 1.1.1d-0+deb11u3 | 1.1.1d-0+deb11u4 | OpenSSL vulnerability | | curl | CVE-2023-67890 | HIGH | 7.74.0-1.3+deb11u1| 7.74.0-1.3+deb11u2| Curl security issue | +------------------+------------------+----------+-------------------+---------------+--------------------------------+ Pod/trivy-scan deleted
--restart=Never - Run pod only once without restarting
--rm - Remove pod after it finishes
-it - Run interactively to see output
Key Concept

If you remember nothing else from this pattern, remember: scanning container images for vulnerabilities before deployment helps prevent security risks in your applications.

Common Mistakes
Running image scans without specifying severity filters
This can produce too many low-risk findings, making it hard to focus on critical issues
Use severity flags like --severity CRITICAL,HIGH to focus on important vulnerabilities
Not setting a timeout for scans
Scans can hang or take too long, blocking automation pipelines
Use --timeout flag to limit scan duration and keep pipelines fast
Running scans outside Kubernetes when you want cluster integration
You miss benefits of running scans as pods with cluster access and config management
Run scanners as Kubernetes pods using kubectl run with proper flags
Summary
Create a ConfigMap to store scanner settings for severity and timeout.
Run Trivy CLI to scan container images for critical and high vulnerabilities.
Use kubectl run to scan images inside Kubernetes pods for better integration.