Stage 4 · Provision
Registries & Security
Trivy Scanning
Scan images with Trivy for CVEs, OS packages, language dependencies, misconfigurations, and SBOMs.
What Is Trivy?
Trivy is a comprehensive security scanner that detects vulnerabilities in container images, file systems, Git repositories, Kubernetes, and more. It scans for CVEs in OS packages, language dependencies, configuration issues, and sensitive information. It is the most widely used container security tool.
Scanning Images
# Install Trivy
brew install trivy # macOS
# or
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh
# Scan a local image
trivy image myapp:latest
# Scan a remote image
trivy image nginx:1.25-alpine
# Scan with severity filter
trivy image --severity HIGH,CRITICAL myapp:latest
# Scan with exit code on vulnerabilities
trivy image --exit-code 1 myapp:latestTrivy downloads vulnerability databases on first run and caches them. The --exit-code 1 flag makes the command fail if vulnerabilities are found, useful for CI/CD pipelines.
Understanding Results
Trivy reports vulnerabilities organized by package and severity. Each vulnerability includes a CVE ID, severity score, installed version, and fixed version. Understanding these fields helps you prioritize remediation.
# Default table output
trivy image nginx:alpine
# Example output:
# nginx:alpine (debian 12.4)
#
# Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 1, CRITICAL: 0)
#
# libssl3 3.0.11-1~deb12u1 CVE-2023-5678 HIGH
# zlib1g 1.2.13.dfsg-2 CVE-2023-1234 MEDIUM
# JSON output for parsing
trivy image -f json myapp:latest
# Table with fixed versions
trivy image --format table myapp:latestHIGH and CRITICAL vulnerabilities should be fixed immediately. MEDIUM and LOW can be scheduled. The fixed version column tells you which package version resolves the vulnerability.
Scan images locally before pushing to a registry. Use trivy image --exit-code 1 --severity HIGH,CRITICAL to fail the build if critical vulnerabilities are found. This prevents vulnerable images from reaching production.
Scanning Dockerfiles
# Scan Dockerfile for misconfigurations
trivy config Dockerfile
# Scan a directory
trivy config ./docker/
# Check for security best practices
trivy config --severity HIGH,CRITICAL Dockerfile
# Example findings:
# - Image should use a non-root user (HIGH)
# - Package cache not cleaned (MEDIUM)
# - Using :latest tag (LOW)Trivy checks Dockerfiles against CIS Docker Benchmark and security best practices. It identifies missing USER instructions, unnecessary privileges, and other misconfigurations.
SBOM Generation
A Software Bill of Materials (SBOM) lists every component in your image — OS packages, language libraries, and their versions. SBOMs are required for compliance and supply chain security.
# Generate SBOM in CycloneDX format
trivy image --format cyclonedx -o sbom.json myapp:latest
# Generate SBOM in SPDX format
trivy image --format spdx-json -o sbom-spdx.json myapp:latest
# Use the SBOM for scanning
trivy sbom sbom.jsonCycloneDX and SPDX are standard SBOM formats. Generate SBOMs during your build process and store them alongside images. Use them for compliance audits and vulnerability tracking.
CI/CD Integration
name: Security Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Build image
run: docker build -t myapp:scan .
- name: Run Trivy scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: myapp:scan
format: table
exit-code: 1
severity: HIGH,CRITICALThis GitHub Action scans the image on every push and pull request. The exit-code: 1 flag fails the build if HIGH or CRITICAL vulnerabilities are found. Adjust severity thresholds to your risk tolerance.
Vulnerabilities are discovered daily. Scan images in CI/CD pipelines and re-scan running containers regularly. New CVEs can affect previously clean images. Tools like Trivy Operator scan Kubernetes clusters continuously.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.