Scanning Container Images for Known Vulnerabilities
Container images are an essential part of modern application deployments. Comprised of a collection of software components and libraries, container images can contain vulnerabilities and security weaknesses. These vulnerabilities can be exploited by attackers to gain unauthorized access to the container, the host operating system, and the underlying infrastructure.
Container image scanning tools can identify the vulnerabilities in images for you to acknowledge and determine what is an appropriate course of action be it updating library versions, choosing a different base image, or accepting the identified risks.
This lab focuses on the Trivy scanning tool by Aqua Security. Trivy is highlighted as a reference tool in the Certified Kubernetes Security Specialist (CKS) exam. You will learn how to scan images with Trivy and filter findings by severity in this lab. You will also apply what you learn to identify critical vulnerabilities in a sample application deployed in Kubernetes.
Upon completion of this intermediate-level lab, you will be able to:
- Use Trivy to scan container images for vulnerabilities
- Scan images running a Kubernetes cluster
- Employ strategies to reduce the number of vulnerabilities in container images running in your Kubernetes cluster
- Candidates for the Certified Kubernetes Security Specialist (CKS) exam
- DevOps Engineers
- Security Practitioners
Familiarity with the following will be beneficial but is not required:
- Kubernetes Pods
The following content can be used to fulfill the prerequisites:
October 13th, 2023 - Updated Kubernetes version
Logan has been involved in software development and research since 2007 and has been in the cloud since 2012. He is an AWS Certified DevOps Engineer - Professional, AWS Certified Solutions Architect - Professional, Microsoft Certified Azure Solutions Architect Expert, MCSE: Cloud Platform and Infrastructure, Google Cloud Certified Associate Cloud Engineer, Certified Kubernetes Security Specialist (CKS), Certified Kubernetes Administrator (CKA), Certified Kubernetes Application Developer (CKAD), and Certified OpenStack Administrator (COA). He earned his Ph.D. studying design automation and enjoys all things tech.