Skip to content

Ticket #16: Trivy Vulnerability Scan & Hardening #56

Description

@PuneethM-06

Description

Perform a security assessment of the linux-sysmonitor Docker image using Trivy, then harden the image by addressing identified vulnerabilities and following Docker security best practices. Document the improvements and compare security results before and after remediation.


Tasks

  • Install Trivy (or run it using the official Trivy container).
  • Perform an initial vulnerability scan:
    trivy image linux-sysmonitor:v2
  • Record the baseline scan results, including:
    • Critical CVEs
    • High CVEs
    • Medium CVEs
    • Low CVEs
  • Pin the base image to a specific version or image digest instead of using a floating tag.
  • Remove unnecessary packages and dependencies from the final runtime image.
  • Create a dedicated non-root user and run the container as that user:
    USER appuser
  • Rebuild the hardened image.
  • Run a second Trivy scan on the updated image.
  • Compare vulnerability counts before and after the changes.
  • Save both scan reports in a Markdown file (e.g., SECURITY.md) or your daily notes.

Acceptance Criteria

  • Initial Trivy scan is completed and documented.
  • Docker image is hardened using Docker security best practices.
  • Base image is pinned to a specific version or digest.
  • Container runs as a non-root user.
  • Final image contains only required runtime dependencies.
  • Vulnerability count is reduced compared to the baseline scan.
  • No Critical CVEs remain, or any remaining issues are clearly documented with justification.

Commit Message

fix: harden image based on Trivy scan results (closes #16)

Why This Matters

Container security is a core DevSecOps responsibility. This exercise demonstrates how to identify, prioritize, and remediate vulnerabilities before deploying an application.

Key concepts covered include:

  • Vulnerability scanning with Trivy
  • CVE analysis and severity classification
  • Base image hardening
  • Image version pinning
  • Least privilege using non-root containers
  • Reducing the attack surface
  • Secure container image best practices

Interview Tip: Keep your actual scan results. Being able to say something like "I reduced vulnerabilities from 14 (2 Critical, 5 High) to 3 Medium by pinning the base image, removing unnecessary packages, and running the container as a non-root user" is a strong, concrete example of improving an application's security posture during a DevOps interview.

Metadata

Metadata

Assignees

Labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions