Trivy is one of the most reliable open-source tools for image scanning. Primarily famous for its incredible image scanning, it also supports scanning Kubernetes clusters/resources, file systems & git repositories for misconfigurations & security vulnerabilities.
Thanks to Anaïs Urlichs for inviting me to the beta & early adopters review.
As of Aug 15, 2022, Trivy is capable of scanning AWS resources for misconfigurations. The less known fact is that aquasec acquired cloudsploit, a Cloud Security Posture Management (CSPM) tool that supports AWS, GCP, Azure, Oracle, etc. It even covers standards like HIPPA, PCI & CIS benchmarks. For unforeseen reasons, cloudsploit didn't receive any updates since Aug 26, 2020. Nevertheless, now trivy can perform scans cloudsploit was capable of & beyond.
Kindly note that this is still an experimental phase. As of this writing, Trivy supports scanning 31 types of AWS resources for misconfiguration.
Authenticate to AWS account
Scan all resources in the default region
The region set during
aws configure will be picked up! This returns the summary/count of misconfigurations for supported resources.
Scan all resources in a specific region
trivy aws --region=us-east-1
The list can be lengthy and exhaustive to understand. The
service feature comes to the rescue.
Scan a single resource
The service feature shows more information on the misconfigurations.
trivy aws --service=ec2 trivy aws --service=ec2 --region=eu-west-1
Trivy supports multiple output formats, table, json, sarif, cosign-vuln, github, spdx, cyclonedx & lot more.
Sarif format allows us to view things visually better.
trivy aws --service=s3 --format=sarif --output=aws-s3-output.sarif
NOTE: If you have multiple misconfigurations/sensitive information in your output, DO NOT upload the results to an online website. Try setting up a local sarif viewer.
I don't have any sensitive information in my output, so I'm uploading them to an online sarif viewer from Microsoft. The output is clean & simple to digest.
Filter results based on vulnerability severity
trivy aws --service=s3 trivy aws --service=s3 --severity=MEDIUM
Trivy got several features like updating the local cache & filters like account, arn, endpoint, etc.
This is a massive enhancement from Trivy to integrate cloud/IaC scanning features into its arsenal. Though it's in the experimental phase, the scanning coverage & features are impressive. We can be sure Trivy plans to integrate more features related to AWS & move to other cloud provider integrations, thus making it the center for scanning universe.