Aqua Security this week announced that its open source Trivy vulnerability scanner is now available as an Aqua Security Trivy GitHub Action, which enables DevOps teams that employ GitHub to scan both source code and dependencies built using container image for vulnerabilities.
Liz Rice, vice president of open source engineering for Aqua Security, says the collaboration with GitHub will enable IT organizations to accelerate adoption of best DevSecOps practices as they shift toward building microservice-based applications using containers.
The alliance with GitHub comes on the heels of a free open source code scanning tool dubbed CodeQL, which is being made generally available. Trivy and CodeQL are complementary in that they enable IT organizations to apply a defense-in-depth approach to DevSecOps, Rice notes.
The Aqua Security Trivy Action integration finds vulnerabilities (CVEs) in the operating system package dependencies and language libraries built into a container image. Trivy Action alerts developers to known vulnerabilities via the security tab in the GitHub user interface. It also generates output in the Static Analysis Results Interchange Format (SARIF), which provides a standard for sharing data between static application security testing (SAST) tools via a common application programming interface (API).
Rice says organizations in general are embracing best DevSecOps practices at a faster rate. In some cases, progress is driven by developers of their own initiative, while other organizations are moving toward melding workflows across DevOps and cybersecurity teams. At the same time, Trivy is being employed as the default container image scanner in Harbor, an open source container image registry project under the Cloud Native Computing Foundation (CNCF), as well as the registry from Docker Inc. and the Mirantis Docker Enterprise platform.
Trivy minimizes the friction often associated with DevSecOps processes by enabling scans to be conducted locally against a lightweight database of known vulnerabilities, notes Rice. Other approaches to scanning container images can take longer than many developers have the patience to tolerate.
Regardless of how developers are encouraged to scan for vulnerabilities, Rice says the next step is to automate as much of the vulnerability remediation process as possible while minimizing the number of false positives generated by scanning tools. False positives can push a developer to unnecessarily upgrade a module that ends up breaking their application.
As responsibility for application security continues to be pushed further left toward developers, the overall security of IT environments should improve steadily. In some cases, IT security teams might not even know how that goal was accomplished because in most cases they don’t play an active role in the application development process.
In the meantime, developers would do well to remember there is no such thing as secure open source code. New vulnerabilities are discovered even after applications are deployed in production environments. Savvy IT teams scan for vulnerabilities before, during and after applications are deployed. Depending solely on developers to make sure their application code is secure isn’t enough in an age where there are plenty of vulnerabilities being exploited across multiple runtimes and container host platforms.