Aqua Blog

Golang Scanning with Trivy: Detect Vulnerabilities Accurately

Golang Scanning with Trivy: Detect Vulnerabilities Accurately

A standard piece of security advice is to reduce the size of your container images, usually by using statically compiled binaries in a scratch or distroless container. However, that complicates container vulnerability scanning, because it becomes impossible to determine the versions of software installed in a container image. Fortunately, if you’re using Trivy, a popular open source scanner, a couple of useful features can help solve this problem.

Golang binary scanning

The first option is to use Trivy’s Golang binary scanning feature. This enables Trivy to look inside compiled Golang programs and extract module information, which then allows for vulnerability analysis to take place.

Trivy takes advantage of the fact that, by default, the Golang compiler will embed module information into its binaries.

As an example of this scanning, a container image with several Golang programs will produce output like this:

trivy i raesene/alpine-containertools

output of Trivy scan of a container image

This shows the location of the binary scanned and the resulting vulnerability information.

Of course, there are times when compiled binaries won’t provide the information we need. For example, the Caddy project strips module information from their released binaries, so if we scan their container image, we’ll get something like this:

trivy output from scanning the caddy image

In cases like this, we need another approach.

Scanning GitHub repositories

When it’s not possible to scan binary programs, but the source code is available online, you can use Trivy to scan the repository to get a view of vulnerable library versions. For the Caddy project, this would look like this:

trivy repo https://github.com/caddyserver/caddy

Trivy scan of the caddy github repository

This approach is scanning the go.sum file found in the repository and looking at the version information there.

Summary

When implementing security measures like minimizing the size of container images, it’s always important to consider the trade-offs. In some cases, it may be necessary to change the approach to vulnerability scanning to ensure that vulnerabilities are still detected appropriately. As we saw, with Trivy, this process is easy to handle.

Rory McCune
Rory was a Cloud Native Security Advocate at Aqua. He has worked in the Information and IT Security arena for the last 20 years in a variety of roles. He is an active member of the container security community having delivered presentations at a variety of IT and Information security conferences. He has also presented at major containerization conferences and is an author of the CIS Benchmarks for Docker and Kubernetes and main author of the Mastering Container Security training course which has been delivered at numerous industry conferences including Blackhat USA.