Aqua Trivy open-source security scanner now finds Kubernetes security risks

The Aqua Trivy open-source scanner now supports vulnerability scanning for Kubernetes components and Kubernetes Bill of Materials (KBOM) generation. Now, companies can better understand the components within their Kubernetes environment and how secure they are to reduce risk.

“Aqua Trivy is the only open source tool covering all cloud-native scanning needs, including source code, repositories, images, artifact registries, Infrastructure as Code (IaC) templates, and Kubernetes environments. Developers, DevOps and DevSecOps, have a more efficient, simplified tool to ensure the security of their cloud-native applications and can integrate security into their workflows without having to leave their continuous integration or continuous deployment (CI/CD) environments,” Itay Shakury, VP of Open Source at Aqua Security, told Help Net Security.

“Unlike other open-source scanners, Aqua Trivy provides visibility across operating system packages and language-specific dependencies and is easy to integrate into organizations’ software development pipelines. It has a compact database with auto-update capabilities that do not require external middleware or database dependencies. Aqua Trivy will automatically keep the database up-to-date by downloading the latest pre-built version from GitHub. This makes the tool extremely fast and efficient — scanning takes only seconds,” Shakury added.

What Trivy can scan

• Container Image
• Filesystem
• Git Repository (remote)
• Virtual Machine Image
• Kubernetes
• AWS

What Trivy can find

• OS packages and software dependencies in use (SBOM)
• Known vulnerabilities (CVEs)
• IaC issues and misconfigurations
• Sensitive information and secrets
• Software licenses

“Aqua Trivy is already a very comprehensive and capable scanner, and we want to continue this trend by adding more scan targets (what Trivy can scan) and scanners (what Trivy can find). This will increase its coverage and applicability to practically every cloud-native use case and make it the one-stop shop for everything security scanning. This vision includes incorporating other security scanning tools into Aqua Trivy, including our other popular open-source projects Starboard, kube-bench, kube-hunter, and tfsec,” Shakury concluded.

Trivy is available for free on GitHub.

More open-source tools to consider:

• Logging Made Easy: Free log management solution from CISA
• GOAD: Vulnerable Active Directory environment for practicing attack techniques
• Wazuh: Free and open-source XDR and SIEM
• Yeti: Open, distributed, threat intelligence repository
• BinDiff: Open-source comparison tool for binary files
• LLM Guard: Open-source toolkit for securing Large Language Models
• Velociraptor: Open-source digital forensics and incident response