Container and Infrastructure Security Scanning: A Comprehensive Guide
Trivy Implementation Container Scanning Pipeline # GitLab CI Pipeline Configuration container_scan: image: aquasec/trivy:latest variables: TRIVY_NO_PROGRESS: "true" TRIVY_CACHE_DIR: ".trivycache/" script: - trivy image --exit-code 1 --severity HIGH,CRITICAL --no-progress --format template --template "@/contrib/sarif.tpl" -o trivy-results.sarif $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA artifacts: reports: security: trivy-results.sarif Kubernetes Manifest Scanning apiVersion: batch/v1 kind: CronJob metadata: name: trivy-cluster-scan spec: schedule: "0 0 * * *" jobTemplate: spec: template: spec: serviceAccountName: trivy-scanner containers: - name: trivy image: aquasec/trivy:latest args: - k8s - --report=summary - --severity=HIGH,CRITICAL - all volumeMounts: - name: results mountPath: /results volumes: - name: results persistentVolumeClaim: claimName: scan-results Snyk Integration GitHub Action Integration name: Snyk Security Scan on: pull_request jobs: security: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - name: Run Snyk to check for vulnerabilities uses: snyk/actions/node@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: args: --severity-threshold=high - name: Container Scan uses: snyk/actions/docker@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: image: your-registry/app:latest args: --file=Dockerfile - name: IaC Scan uses: snyk/actions/iac@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: args: --severity-threshold=high Wiz Implementation Cloud Configuration Scanning # Terraform configuration for Wiz resource "wiz_automation_rule" "critical_vuln" { name = "Critical Vulnerability Alert" description = "Alert on critical vulnerabilities in production" enabled = true trigger { type = "VULNERABILITY" vulnerabilities { severity = ["CRITICAL"] has_fix = true } } actions { create_issue { provider = "JIRA" project = "SEC" type = "Bug" } send_notification { channels = ["SLACK"] template = "critical-vuln" } } } Production Implementation Multi-Scanner Integration # ArgoCD Application for Security Scanning apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: security-scanners spec: project: security source: repoURL: https://github.com/org/security-configs.git targetRevision: HEAD path: scanners/ destination: server: https://kubernetes.default.svc namespace: security syncPolicy: automated: prune: true selfHeal: true syncOptions: - CreateNamespace=true --- # Scanner Configuration apiVersion: v1 kind: ConfigMap metadata: name: scanner-config data: trivy.yaml: | severity: CRITICAL,HIGH ignore-unfixed: true timeout: 10m snyk.yaml: | severity-threshold: high fail-on: upgradable wiz.yaml: | scan-interval: 6h alert-threshold: CRITICAL compliance-frameworks: - SOC2 - PCI