Virtual Machine Image
EXPERIMENTAL
This feature might change without preserving backwards compatibility.
To scan virtual machine (VM) images, you can use the vm
subcommand.
Targets
The following targets are currently supported:
- Local file
- AWS EC2
- Amazon Machine Image (AMI)
- Amazon Elastic Block Store (EBS) Snapshot
Local file
Pass the path to your local VM image file.
$ trivy vm --scanners vuln disk.vmdk
Result
disk.vmdk (amazon 2 (Karoo))
===========================================================================================
Total: 802 (UNKNOWN: 0, LOW: 17, MEDIUM: 554, HIGH: 221, CRITICAL: 10)
┌────────────────────────────┬────────────────┬──────────┬───────────────────────────────┬───────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────────────────────┼────────────────┼──────────┼───────────────────────────────┼───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ amazon-ssm-agent │ CVE-2022-24675 │ HIGH │ 3.0.529.0-1.amzn2 │ 3.1.1575.0-1.amzn2 │ golang: encoding/pem: fix stack overflow in Decode │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-24675 │
├────────────────────────────┼────────────────┤ ├───────────────────────────────┼───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ bind-export-libs │ CVE-2021-25215 │ │ 32:9.11.4-26.P2.amzn2.4 │ 32:9.11.4-26.P2.amzn2.5 │ bind: An assertion check can fail while answering queries │
│ │ │ │ │ │ for DNAME records... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25215 │
│ ├────────────────┼──────────┤ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-25214 │ MEDIUM │ │ 32:9.11.4-26.P2.amzn2.5.2 │ bind: Broken inbound incremental zone update (IXFR) can │
│ │ │ │ │ │ cause named to terminate... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25214 │
├────────────────────────────┼────────────────┼──────────┤ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ bind-libs │ CVE-2021-25215 │ HIGH │ │ 32:9.11.4-26.P2.amzn2.5 │ bind: An assertion check can fail while answering queries │
│ │ │ │ │ │ for DNAME records... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25215 │
│ ├────────────────┼──────────┤ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-25214 │ MEDIUM │ │ 32:9.11.4-26.P2.amzn2.5.2 │ bind: Broken inbound incremental zone update (IXFR) can │
│ │ │ │ │ │ cause named to terminate... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25214 │
├────────────────────────────┼────────────────┼──────────┤ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ bind-libs-lite │ CVE-2021-25215 │ HIGH │ │ 32:9.11.4-26.P2.amzn2.5 │ bind: An assertion check can fail while answering queries │
│ │ │ │ │ │ for DNAME records... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25215 │
│ ├────────────────┼──────────┤ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-25214 │ MEDIUM │ │ 32:9.11.4-26.P2.amzn2.5.2 │ bind: Broken inbound incremental zone update (IXFR) can │
│ │ │ │ │ │ cause named to terminate... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25214 │
├────────────────────────────┼────────────────┼──────────┤ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
...
Amazon Machine Image (AMI)
You can specify your AMI ID with the ami:
prefix.
$ trivy vm ami:${your_ami_id}
Note
AMIs in the marketplace are not supported because the EBS direct APIs don't support that. See the AWS documentation for the detail.
Example
$ trivy vm --scanners vuln ami:ami-0123456789abcdefg
If you want to scan a AMI of non-default setting region, you can set any region via --aws-region
option.
$ trivy vm --aws-region ap-northeast-1 ami:ami-0123456789abcdefg
Required Actions
Some actions on EBS are also necessary since Trivy scans an EBS snapshot tied to the specified AMI under the hood.
- ec2:DescribeImages
- ebs:ListSnapshotBlocks
- ebs:GetSnapshotBlock
Amazon Elastic Block Store (EBS) Snapshot
You can specify your EBS snapshot ID with the ebs:
prefix.
$ trivy vm ebs:${your_ebs_snapshot_id}
Note
Public snapshots are not supported because the EBS direct APIs don't support that. See the AWS documentation for the detail.
Example
$ trivy vm --scanners vuln ebs:snap-0123456789abcdefg
If you want to scan an EBS Snapshot of non-default setting region, you can set any region via --aws-region
option.
$ trivy vm --aws-region ap-northeast-1 ebs:ebs-0123456789abcdefg
The above command takes a while as it calls EBS API and fetches the EBS blocks. If you want to scan the same snapshot several times, you can download the snapshot locally by using coldsnap maintained by AWS. Then, Trivy can scan the local VM image file.
$ coldsnap download snap-0123456789abcdefg disk.img
$ trivy vm ./disk.img
Required Actions
- ebs:ListSnapshotBlocks
- ebs:GetSnapshotBlock
Scanners
Trivy supports VM image scanning for
- Vulnerabilities
- Misconfigurations
- Secrets
- Licenses
Vulnerabilities
It is enabled by default. You can simply specify your VM image location. It detects known vulnerabilities in your VM image. See here for the detail.
$ trivy vm [YOUR_VM_IMAGE]
Misconfigurations
It is supported, but it is not useful in most cases.
As mentioned here, Trivy mainly supports Infrastructure as Code (IaC) files for misconfigurations.
If your VM image includes IaC files such as Kubernetes YAML files or Terraform files, you should enable this feature with --scanners misconfig
.
$ trivy vm --scanners misconfig [YOUR_VM_IMAGE]
Secrets
It is enabled by default. See here for the detail.
$ trivy vm [YOUR_VM_IMAGE]
Tip
The scanning could be faster if you enable only vulnerability scanning (--scanners vuln
) because Trivy tries to download only necessary blocks for vulnerability detection.
Licenses
It is disabled by default. See here for the detail.
$ trivy vm --scanners license [YOUR_VM_IMAGE]
SBOM generation
Trivy can generate SBOM for VM images. See here for the detail.
Supported Architectures
Virtual machine images
Image format | Support |
---|---|
VMDK | ✔ |
OVA | |
VHD | |
VHDX | |
QCOW2 |
VMDK disk types
VMDK disk type | Support |
---|---|
streamOptimized | ✔ |
monolithicSparse | |
vmfs | |
vmfsSparse | |
twoGbMaxExtentSparse | |
monolithicFlat | |
twoGbMaxExtentFlat | |
vmfsRaw | |
fullDevice | |
partitionedDevice | |
vmfsRawDeviceMap | |
vmfsPassthroughRawDeviceMap |
Reference: VMware Virtual Disk Format 1.1.pdf
Disk partitions
Disk format | Support |
---|---|
Master boot record (MBR) | ✔ |
Extended master boot record | |
GUID partition table (GPT) | ✔ |
Logical volume manager (LVM) |
Filesystems
Filesystem format | Support |
---|---|
XFS | ✔ |
EXT4 | ✔ |
EXT2/3 | |
ZFS |