PeachyCloudSecurity Youtube

Cloud and Kubernetes security docs and hands‑on labs for engineers.

• Free Documentation: https://book.peachycloudsecurity.com
• Free Hands on Labs: https://killercoda.com/peachycloudscurity-1

Quick links

• Primary site: https://book.peachycloudsecurity.com

• YouTube: https://youtube.com/@peachycloudsecurity

• Topmate: https://topmate.io/peachycloudsecurity

• Linktree: https://linktr.ee/theshukladuo

• Instagram: https://instagram.com/peachycloudsecurity

• OWASP EKS Goat: https://eksgoat.kubernetesvillage.com

• OWASP EKS Goat: https://eksgoat.kubernetesvillage.com

• Maintainers: Anjali & Divyanshu (theshukladuo)

Credits

• Created by Anjali & Divyanshu.
• Canva

Complete Cloud Security Engineer Roadmap | Step-by-Step Guide for Beginners

Welcome to the Cloud Security Engineer Roadmap on peachycloudsecurity by theshukladuo. This content is part of the PeachyCloudSecurity learning series.

Video & Slides

• YouTube Session: How to Become a Cloud Security Engineer | Step-by-Step Roadmap For Beginners

Slide Deck (PDF)

If the embed does not load, you can open it directly: Cloud Security Engineer Roadmap PDF

What This Page Covers

• Overview of what Cloud Security is
• Role of a Cloud Security Engineer
• Core foundations: Linux, networking, scripting, containers
• Choosing your first cloud provider (AWS focus)
• Defense in Depth in cloud environments
• A practical 30-60-90 day learning path
• Notes on certifications
• Contact Us

If the embed does not load, open it directly: Cloud Security Engineer Roadmap PDF

Connect with PeachyCloudSecurity

• 🌊 LinkedIn / All Links
• 🎥 YouTube
• 📸 Instagram
• 👍 Topmate

Next Steps

New lab guides and cloud/container security scenarios will be linked to into this website as they are released.

Hands-on Intro Guide: Trivy for Docker Images & Kubernetes YAML

This is a 1-pager theory guide for the lab “Hands on Lab: Scanning Docker Images & Kubernetes YAML with Trivy” on PeachyCloudSecurity.

Use this to understand what Trivy does and where it fits in your workflow before/after you run the lab.

Lab & Video

Hands-on practice (recommended first, then come back to the theory when needed):

• Interactive Lab
  Hands on Lab: Scanning Docker Images & Kubernetes YAML with Trivy
  👉 https://killercoda.com/peachycloudsecurity-1/course/kubernetes-security/k8s-trivy-scanner

• YouTube Walkthrough
  Full step-by-step demo of the same lab:

What Is Trivy

Trivy is an open-source scanner from Aqua Security that looks for security issues across your stack:

• Vulnerable OS packages and application dependencies
• Misconfigurations in Dockerfiles, Kubernetes YAML, Terraform etc.
• Leaked secrets (API keys, passwords, tokens)
• License issues in open-source packages

Think of it as a Swiss-army knife for “What is wrong with this image / repo / config?” that you can call from CLI or wire into CI/CD.

What Trivy Can Scan

Trivy has two main concepts:

1. Scanners – Types of checks:

   • OS packages and libraries (CVE scan)
   • App dependencies via lockfiles (e.g. requirements.txt, package-lock.json)
   • IaC misconfig (Kubernetes, Terraform, Dockerfile, etc.)
   • Secrets in files and repos
   • Licenses

2. Targets – Where it looks:

   • Container images (local or in registries)
   • Kubernetes manifests / clusters
   • Git repositories
   • Local filesystem paths
   • VM images
   • Cloud targets like AWS, etc.

In this lab we mainly care about:

• Docker images – trivy image …
• Kubernetes YAML / configs – trivy config …

How Image Scanning Works (Conceptually)

When you scan an image, Trivy:

1. Pulls vulnerability DB (first run is slower; later runs reuse cache).
2. Figures out the OS and dependency ecosystem (Alpine, Debian, etc.).
3. Lists installed packages and libraries.
4. Matches those against public sources like CVE feeds and distro advisories.
5. Prints a report with:
   • Vulnerability ID (CVE-XXXX)
   • Package name
   • Installed version vs fixed version
   • Severity (CRITICAL, HIGH, MEDIUM, LOW, UNKNOWN)

You can filter by severity, choose output format, or feed results into other tooling.

Important Gotchas For Image Scans

These are the things that usually bite people:

• Old base images = noisy output

  • If Trivy says “OS version is no longer supported,” it means the distro stopped shipping patches.
  • You will see a lot of unfixable or noisy CVEs. The real fix is: upgrade the base image, not try to patch inside the container.

• “Not fixed” ≠ safe

  • If Fixed Version is empty, there is no upstream patch yet. You must:
    • Check exploitability for your use case.
    • Add defense-in-depth (network isolation, runtime policy, WAF, etc.).
    • Track when a patched version appears.

• False positives and context

  • A vulnerable library may exist in the image but not be reachable by the app.
  • For compliance you still need a plan, but for risk you should weigh:
    • Is the package actually used?
    • Is the image internet-facing?
    • Does it handle sensitive data?

• Severity filters hide risk if misused

  • Commands like --severity CRITICAL,HIGH are useful for signal-to-noise.
  • But if you only ever scan for CRITICAL/HIGH, you will miss:
    • Chains of low/medium vulns that combine into an exploit.
    • Medium issues that are critical for your specific threat model.

• Private registries need auth first

  • Trivy reuses your Docker/registry login state.
  • If you get “unauthorized” or “not found,” usually:
    • You are not logged into the registry.
    • The registry uses a different URL than you are scanning.

Kubernetes YAML / Config Scanning

Trivy can also scan configs (not just images):

• Use the config / conf scanner to find:
  • Privileged or root containers
  • Dangerous capabilities
  • Insecure hostPath mounts
  • Wide-open network policies
  • Other common K8s/IaC misconfigs

Internally, it runs built-in policies over your YAML/Terraform/Dockerfile to highlight risky patterns.

Typical usage pattern:

• Point Trivy at a folder containing manifests.
• It walks all files and reports misconfigurations with:
  • File path
  • Resource kind/name
  • Rule that was violated
  • Severity

Where Trivy Fits in Your Workflow

Trivy is most useful when it is not a one-time “security scan,” but part of your regular flow:

• Local dev: quick checks on images and YAML before you push.
• Pre-merge / CI: block or warn on bad images/configs before deployment.
• Registry / artifact scans: regularly scan images that live in your registry.
• Kubernetes / IaC review: enforce baselines for security contexts, network, and storage configs.

Common real-world pattern:

• Devs run Trivy locally to clean obvious issues.
• CI runs Trivy with stricter policies and fails builds on specific severities.
• Security team tunes rules and severity thresholds per environment (dev/stage/prod).

Output Formats (Why They Matter)

Trivy supports multiple formats to plug into different workflows:

• Table (default) – human-friendly for local use.
• JSON – for dashboards, SIEM, or custom scripts.
• Template (e.g., HTML) – for shareable reports.

Typical usage:

• Local: use table to iterate.
• CI: generate JSON, archive it as an artifact, or push into a vulnerability dashboard.

What Trivy Does Not Replace

Trivy is powerful, but it’s not your entire AppSec program:

• It does not replace:
  • SAST for code-level logic bugs.
  • DAST for runtime/web behavior issues.
  • Manual security review and threat modeling.
• It does give you a solid baseline for:
  • Known CVEs in OS + dependencies.
  • Misconfig and secret hygiene.
  • Basic license visibility.

Use it as the “first line of defense” in your container/K8s pipeline, not the only line.

Thanks:

• https://github.com/aquasecurity/trivy
• https://medium.com/@maheshwar.ramkrushna/scanning-docker-images-for-vulnerabilities-using-trivy-for-effective-security-analysis-fa3e2844db22
• https://www.jit.io/resources/appsec-tools/when-and-how-to-use-trivy-to-scan-containers-for-vulnerabilities
• openai & canva

Kubernetes Security Hands-On Lab: Kube-Bench vs Kube-Hunter

• Interactive Lab
  Hands on Lab: Scanning Docker Images & Kubernetes YAML with Trivy
  👉 https://killercoda.com/peachycloudsecurity-1/course/kubernetes-security/kubebench-kubehunter

🎥 Watch the full lab on YouTube

This hands-on lab walks you through hardening a Kubernetes cluster using kube-bench and kube-hunter side by side.

You will:

• Deploy intentionally misconfigured / insecure Kubernetes workloads
• Run kube-hunter to discover exposed services and attack surface
• Run kube-bench to validate the cluster against the CIS Kubernetes Benchmark
• Compare the findings and output formats of both tools (human-readable vs JSON)
• Apply security fixes and re-run the tools to verify remediation

Created by PeachyCloudSecurity (TheShuklaDuo – Anjali & Divyanshu).

Lab and Docs

• 🔬 Killercoda Lab: https://killercoda.com/peachycloudsecurity-1
• 📘 Documentation: https://book.peachycloudsecurity.com/

All links and labs: https://linktr.ee/peachycloudsecurity

Stay Connected

• 🌊 LinkedIn: https://linktr.ee/peachycloudsecurity
• 🎥 YouTube: https://youtube.com/@peachycloudsecurity
• 📸 Instagram: https://instagram.com/peachycloudsecurity
• 👍 Topmate: https://topmate.io/peachycloudsecurity

#cloudsecurity #kubernetes #kubesecurity #kubebench #kubehunter #devsecops #containersecurity #docker

OWASP EKS Goat Series

OWASP EKS Goat Documentation

• https://eksgoat.peachycloudsecurity.com

Coming Soon....

Subscribe Youtube