How to scan container images for vulnerabilities with Trivy
Trivy scans container images for OS and dependency CVEs locally and in CI. Filter by severity, ignore vetted findings, and fail builds on critical, unfixed vulnerabilities to keep risky images out of production.
Scanning container images with Trivy
Trivy is an open-source scanner that detects known vulnerabilities (CVEs) in OS packages and application dependencies inside container images. Scanning early and in CI catches risky base images and libraries before they reach production.
Prerequisites
- Docker installed with an image to scan.
- Optional access to a CI system to automate scans.
Steps
1. Install Trivy
Install via your package manager, or run it as a container:
docker run --rm aquasec/trivy:latest --version
2. Scan a local image
trivy image myapp:latest
Trivy downloads its vulnerability database, then lists findings grouped by package with severity and fixed version.
3. Filter by severity
Focus on actionable issues:
trivy image --severity HIGH,CRITICAL myapp:latest
4. Ignore accepted findings
Record vetted, unfixable CVEs in a .trivyignore file, one ID per line, so they stop failing builds while remaining documented.
5. Fail the build on critical CVEs
Return a non-zero exit code when serious issues exist:
trivy image --exit-code 1 --severity CRITICAL --ignore-unfixed myapp:latest
--ignore-unfixed skips CVEs with no available fix.
6. Add Trivy to CI
In a GitHub Actions job, build the image then run Trivy as a step that fails on CRITICAL findings, optionally uploading SARIF results to code scanning.
Verification
Scan a deliberately old base image and confirm Trivy reports CVEs with fixed versions. Add --exit-code 1 --severity CRITICAL and confirm the command fails when criticals exist and passes after you upgrade the base image.
Next Steps
Also scan filesystems and IaC with Trivy, generate an SBOM for supply-chain transparency, and rebuild images on a schedule so base-image fixes land automatically. Pair scanning with image signing and admission policies that block unscanned images.
Prerequisites
- Docker installed
- A built image to scan
- Optional CI access
Steps
- 1Install Trivy
- 2Scan a local image
- 3Filter by severity
- 4Ignore accepted findings
- 5Fail the build on critical CVEs
- 6Add Trivy to CI