Trivy hack

trivycompromisesecurity

Notice: All following words with their typos and incoherent train of thought has been written without AI assistance.

Rolling out your own - are you screwed?

Running your own infrastructure is liberating, but ensuring the hull of your homelab ship is tight requires time investment and careful attention.

Since Trivy was announced I’d been digging in my homelab to see if I was running compromised tags. I run Harbor registry as a cache layer between ghcr.io and hub.docker.com. This allows to avoid rate limiting when re-deploying containers. Harbor implements Trivy via security scanners option. Harbor Helm chart comes with a trivy option:

  trivy:
    enabled: true

When enabled, the following statefulset is added to the release:

[...]
spec:
  securityContext:
    runAsUser: 10000
    fsGroup: 10000
  automountServiceAccountToken: false
  containers:
    - name: trivy
      image: goharbor/trivy-adapter-photon:v2.14.2
      imagePullPolicy: IfNotPresent
      securityContext: 
        allowPrivilegeEscalation: false
        capabilities:
          drop:
          - ALL
        privileged: false
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault

Harbor runs Trivy via its own adapter, goharbor/trivy-adapter-photon:v2.14.2. It drops all capabilities and does not mount service account tokens, additionally running it as user 10000. It’s not immediately obvious which version of Trivy it’s using, but after inspecting trivy-adapter/Dockerfile.base it’s clear it’s not dropping in unexpected Docker images, but includes it as a library and packages it in its own Docker image.

Dodged this one

If you are running Harbor with Trivy enabled, you should be in the clear. As always, pin your image tags with @sha256:... as these cannot be force-pushed.

Force-pushing tags is a well-known attack vector and affects any runtime that pulls and runs OCI images.

I am yet to tighten my Github actions with sha tags, but for Renovate upgrades I have this setting:

"helm-values": {
  "enabled": true,
  "pinDigests": true
}

pinDigest will ensure that any bump will include sha, eg 2.20.11@sha256:1919ba5edec278e81d2393efc82c97c9e3e18ef9dfcb43fdcfa7359dd3adfe99

This image should never change even if attakers force-push 2.20.11 tag - sha256 stays immutable.

Stay safe, y’all.