Container images are an essential part of modern application deployments. Comprised of a collection of software components and libraries, container images can contain vulnerabilities and security weaknesses. These vulnerabilities can be exploited by attackers to gain unauthorized access to the container, the host operating system, and the underlying infrastructure.

Container image scanning tools can identify the vulnerabilities in images for you to acknowledge and determine what is an appropriate course of action be it updating library versions, choosing a different base image, or accepting the identified risks.

This lab focuses on the Trivy scanning tool by Aqua Security. Trivy is highlighted as a reference tool in the Certified Kubernetes Security Specialist (CKS) exam. You will learn how to scan images with Trivy and filter findings by severity in this lab. You will also apply what you learn to identify critical vulnerabilities in a sample application deployed in Kubernetes.

Learning objectives

Upon completion of this intermediate-level lab, you will be able to:

• Use Trivy to scan container images for vulnerabilities
• Scan images running a Kubernetes cluster
• Employ strategies to reduce the number of vulnerabilities in container images running in your Kubernetes cluster

Intended audience

• Candidates for the Certified Kubernetes Security Specialist (CKS) exam
• DevOps Engineers
• Security Practitioners

Prerequisites

Familiarity with the following will be beneficial but is not required:

• Kubernetes Pods
• kubectl output formatting

The following content can be used to fulfill the prerequisites:

• Introduction to Kubernetes