Trivybeat — get CVEs of running containers and send to Elasticsearch

More and more container registries and CI platforms provide the functionality to scan images for CVEs (Common Vulnerabilities and Exposures). Thus you are secure for any freshly build image or you will not pull the outdated image with a ton of nasty CVEs from a registry. But what to do if you already run a container in production for a long time without any updates, how to not miss a new critical CVE that was found a day ago?

Trivy

version: "2.4"
services:
trivy:
image: aquasec/trivy:0.16.0
command: server --listen YOUR_IP_HERE:4954
network_mode: host

Now, in the directory with the file, start the service with:

docker-compose up -d

To verify that the Trivy server is working we can scan a local container image: docker run -v /var/run/docker.sock:/var/run/docker.sock --rm aquasec/trivy client --remote http://YOUR_IP_HERE:4954 centos:7

The server should respond you with a nice list of CVEs found:

Beats

Trivybeat

Trivy, Beats and Docker are all written in Go. Thus, theirs Go libraries quite nicely combine into a new custom beat — Trivybeat.

How to build and run Trivybeat

  • Install mage https://magefile.org/
  • Clone https://github.com/DmitryZ-outten/trivybeat repo to your Go path: $GOPATH/go/src/github.com/DmitryZ-outten/trivybeat
  • Run mage build
  • In the trivybeat.yml file you have to specify the Trivy server URL and connection settings for Elasticsearch (e.g. hosts, username, password, index).
  • Start any container on your host: docker run -it --entrypoint=/bin/bash centos:7
  • Run ./trivybeat -e and in the log you should see that it has found your running container and published events to Elasticsearch.

How to start Trivybeat in a container

  • Create a trivybeat.yml file with the needed settings and put to the configs folder
  • Create a docker-compose.yml file with the following context:
version: "2.4"
services:
trivybeat:
image: "dmyz/trivybeat:latest"
volumes:
- ./configs:/configs
- /var/run/docker.sock:/var/run/docker.sock
  • Start container with: docker-compose up -d
  • Check Kibana to see the CVE information