Germán M. Yébenes

Secure Your CI/CD Pipelines with GitHub Actions and Trivy

Integrating Image Scanning with GitHub Actions: A Comprehensive Guide

Introduction

Keeping container-based applications secure is crucial in modern DevOps workflows. Automated scanning of Docker images during CI/CD pipelines can prevent vulnerabilities from reaching production environments, saving considerable time, effort, and potentially, significant damage. In this guide, I’ll take you step-by-step through integrating automated image scanning into your GitHub Actions workflow using Trivy, a popular and powerful security scanner.

What is Trivy and Why Use It?

Trivy is a widely adopted open-source security scanner that identifies vulnerabilities in container images, source code, and dependencies. Known for its speed, simplicity, and extensive vulnerability database, Trivy provides fast and accurate results, making it an excellent choice for DevOps teams aiming to enhance their security posture without slowing down their development pipeline.

Step-by-Step: Integrating Trivy with GitHub Actions

1. Prepare Your Repository

To start, create a workflow YAML file inside your repository. This file will live in the .github/workflows directory. For this example, name it docker-scan.yml.

mkdir -p .github/workflows
touch .github/workflows/docker-scan.yml

2. Configuring the GitHub Actions Workflow

Below is a detailed YAML configuration example to build and scan Docker images using Trivy:

name: Docker Image Security Scan

on:
  push:
    branches:
      - main

jobs:
  scan:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout Repository
        uses: actions/checkout@v4

      - name: Set up Docker
        uses: docker/setup-buildx-action@v3

      - name: Build Docker Image
        run: |
          docker build -t myapp:${{ github.sha }} .

      - name: Scan Docker Image with Trivy
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: myapp:${{ github.sha }}
          severity: 'CRITICAL,HIGH'
          exit-code: '1'
          format: table

This configuration:

Running and Evaluating the Pipeline

With this workflow set up, each push to the main branch triggers the following sequence:

If vulnerabilities are found, your pipeline will fail, clearly alerting you to fix the issues immediately.

Practical Example (Lab)

Let’s simulate a real-world vulnerability scenario:

Step 1: Introducing a Vulnerability

Modify your Dockerfile to deliberately add an insecure version of a dependency, like this:

FROM node:14-alpine
RUN apk add curl=7.69.1-r3

This specific version of curl includes known security vulnerabilities.

Step 2: Executing the Workflow

Commit and push these changes to your GitHub repository’s main branch. GitHub Actions will automatically execute your pipeline.

You should see results similar to:

Total: 2 (CRITICAL: 1, HIGH: 1)

+------------+------------------+----------+-------------------+
| LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |
+------------+------------------+----------+-------------------+
| curl       | CVE-2020-8231    | CRITICAL | 7.69.1-r3         |
| curl       | CVE-2020-8286    | HIGH     | 7.69.1-r3         |
+------------+------------------+----------+-------------------+

These clear, detailed outputs highlight exactly which vulnerabilities you must address before deploying to production.

Improving Your Security Practices

Beyond scanning, you should consider:

Conclusion

Integrating Trivy into your GitHub Actions workflow is an effective way to enforce security best practices without compromising your development speed. By proactively identifying and mitigating vulnerabilities, you ensure robust, secure applications and maintain trust with your stakeholders. Security is a continuous journey, and automated tools like Trivy are invaluable allies in keeping you ahead of the threats.

Leave a comment