Skip to main content

How to scan container images for vulnerabilities with Trivy

Trivy scans container images for OS and dependency CVEs locally and in CI. Filter by severity, ignore vetted findings, and fail builds on critical, unfixed vulnerabilities to keep risky images out of production.

Difficulty
Beginner
Duration
30 minutes
Steps
6

Scanning container images with Trivy

Trivy is an open-source scanner that detects known vulnerabilities (CVEs) in OS packages and application dependencies inside container images. Scanning early and in CI catches risky base images and libraries before they reach production.

Prerequisites

  • Docker installed with an image to scan.
  • Optional access to a CI system to automate scans.

Steps

1. Install Trivy

Install via your package manager, or run it as a container:

docker run --rm aquasec/trivy:latest --version

2. Scan a local image

trivy image myapp:latest

Trivy downloads its vulnerability database, then lists findings grouped by package with severity and fixed version.

3. Filter by severity

Focus on actionable issues:

trivy image --severity HIGH,CRITICAL myapp:latest

4. Ignore accepted findings

Record vetted, unfixable CVEs in a .trivyignore file, one ID per line, so they stop failing builds while remaining documented.

5. Fail the build on critical CVEs

Return a non-zero exit code when serious issues exist:

trivy image --exit-code 1 --severity CRITICAL --ignore-unfixed myapp:latest

--ignore-unfixed skips CVEs with no available fix.

6. Add Trivy to CI

In a GitHub Actions job, build the image then run Trivy as a step that fails on CRITICAL findings, optionally uploading SARIF results to code scanning.

Verification

Scan a deliberately old base image and confirm Trivy reports CVEs with fixed versions. Add --exit-code 1 --severity CRITICAL and confirm the command fails when criticals exist and passes after you upgrade the base image.

Next Steps

Also scan filesystems and IaC with Trivy, generate an SBOM for supply-chain transparency, and rebuild images on a schedule so base-image fixes land automatically. Pair scanning with image signing and admission policies that block unscanned images.

Prerequisites

  • Docker installed
  • A built image to scan
  • Optional CI access

Steps

  • 1
    Install Trivy
  • 2
    Scan a local image
  • 3
    Filter by severity
  • 4
    Ignore accepted findings
  • 5
    Fail the build on critical CVEs
  • 6
    Add Trivy to CI

Category

Security