DEVOPSdigest

Aqua Security announced multiple updates to Aqua Trivy, making it a unified scanner for cloud native security.

Consolidating multiple scanning tools into a single tool, it is now a comprehensive vulnerability and misconfigurations scanner for cloud native applications and infrastructure.

Trivy is also being integrated into the Aqua Platform as Trivy Premium, through which customers can take advantage of customer support, premium content and centralized management for enterprise scalability.

Trivy is now one tool for all cloud native scanning needs including source code, repositories, images, artifact registries, Infrastructure as Code (IaC) templates and Kubernetes environments. With fewer tools to manage, developers, DevOps and DevSecOps now have a more efficient, simplified tool to ensure security of their cloud native applications. They can integrate security into their workflows without having to leave their continuous integration or continuous deployment (CI/CD) environments.

New capabilities include the following:

- Scan proprietary and third-party code for issues using Integrated Developer Environment (IDE) plug-ins for JetBrains, VSCode and VIM to shift security further left.

- Generate complete software bills of materials (SBOM) to provide transparency into software components and restore visibility to risks in the software supply chain.

- Detect sensitive hardcoded secrets, like passwords, API keys and tokens to prevent unauthorized access by threat actors.

- Scan running Kubernetes clusters for a full life cycle view of risks, and audit for regulatory compliance.

“By integrating more cloud native scanning targets into Trivy, such as Kubernetes, we are simplifying cloud native security,” said Amir Jerbi, CTO and co-founder of Aqua Security. “Security professionals are overwhelmed with the number of tools they are required to use and consolidating tools where possible helps teams become more efficient. The world’s most popular open source vulnerability scanner is now elevated to another level. With Trivy’s enhancements, developers have less tools to learn, use, manage and maintain.”

Trivy Premium, now part of the Aqua Cloud Native Application Protection Platform (CNAPP), builds on the popularity of Trivy Open Source and adds new centralized management capabilities plus a user interface to meet the scalability and management needs of larger organizations.

Trivy Premium also offers increased vulnerability identification accuracy, thanks to premium threat intelligence, malware scanning and the ability to scan standalone binaries (applications installed directly without the use of a package manager). As part of the Aqua Platform, Trivy Premium integrates with other platform modules like Cloud Security Posture Management (CSPM) and Runtime Protection for complete cloud native application life cycle protection.

“Trivy Premium is a gamechanger for organizations who already know and love Trivy and want to leverage the best security tools from the start to prevent attacks before they happen,” said Jerbi.

Trivy is a comprehensive, easy-to-use open source scanner, covering more languages, OS packages and application dependencies. It provides fast, stateless scanning with no prerequisites for installation and delivers highly accurate results with broad and accurate coverage.

In May 2022, Trivy was integrated into Docker Desktop to bring vulnerability and risk scanning into developer workflows, eliminating friction, so users can confidently build more secure cloud native applications. Trivy is built on the largest cloud native security community, and with 100,000 users, and with nearly 12,000 GitHub stars, it is the most popular vulnerability and risk scanner in the world. It has been adopted by leading cloud platform providers and for DevOps projects like GitLab, Artifact Hub, and Harbor.