Scan Docker Images with Trivy: CI/CD Security Pipeline Guide
Docker Security Series – Part 3
As a seasoned system administrator with a passion for technology and problem-solving, I bring 6 Years of hands-on experience in managing and maintaining IT infrastructure. My journey in the field began with a deep curiosity for computers and systems, which has evolved into a fulfilling career dedicated to ensuring the smooth operation of critical business systems.
In Part 1, we covered hardened Docker images. In Part 2, we focused on Dockerfile security best practices. This guide shows how to scan Docker images for vulnerabilities using Trivy and integrate it into your CI/CD pipeline.
What is Trivy?
Trivy is an open-source vulnerability scanner for:
Container images
Filesystems
Git repositories
Infrastructure as Code (IaC)
It detects:
OS package vulnerabilities (Alpine, Debian, Ubuntu)
Language-specific issues (Node.js, Python, Java)
Misconfigurations (Kubernetes, Terraform)
Why Scan Docker Images?
Scanning helps you:
Identify known CVEs before deployment
Enforce security policies in CI/CD
Reduce production risk
Without scanning, vulnerable images can reach production unnoticed.
Install Trivy
On Linux
sudo apt install wget -y
wget https://github.com/aquasecurity/trivy/releases/latest/download/trivy_0.50.0_Linux-64bit.deb
sudo dpkg -i trivy_0.50.0_Linux-64bit.deb
On macOS
brew install aquasecurity/trivy/trivy
Verify Installation
trivy --version
Scan a Docker Image
trivy image node:18-alpine
Trivy will output:
Vulnerability severity (LOW, MEDIUM, HIGH, CRITICAL)
Affected packages
Fixed versions (if available)
Scan Your Application Image
docker build -t myapp:latest .
trivy image myapp:latest
This is the most important step for real-world use.
Filter Only High and Critical Vulnerabilities
trivy image --severity HIGH,CRITICAL myapp:latest
Use this in CI pipelines to focus on serious risks.
Fail Build on Vulnerabilities
trivy image --exit-code 1 --severity CRITICAL myapp:latest
Exit code 1 → pipeline fails
Ensures vulnerable images are not deployed
Scan Filesystem (Before Build)
trivy fs .
Useful for detecting:
Secrets
Dependency vulnerabilities
CI/CD Integration (Jenkins Example)
Jenkins Pipeline Stage
stage('Security Scan') {
steps {
sh '''
trivy image --exit-code 1 \
--severity HIGH,CRITICAL \
myapp:latest
'''
}
}
If vulnerabilities are found, the build will fail automatically.
GitHub Actions Integration
name: Trivy Scan
on: [push]
jobs:
security:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Build Image
run: docker build -t myapp:latest .
- name: Run Trivy Scan
uses: aquasecurity/trivy-action@v0.20.0
with:
image-ref: 'myapp:latest'
severity: 'HIGH,CRITICAL'
exit-code: '1'
Best Practices for Trivy Scanning
Scan images during build stage
Fail pipeline on critical vulnerabilities
Regularly update vulnerability database
Combine with Dockerfile hardening
Use minimal base images
Common Mistakes to Avoid
Ignoring LOW/MEDIUM vulnerabilities completely
Not failing builds on CRITICAL issues
Scanning only in production
Using outdated base images
Docker Security Series
Part 1: Hardened Docker Images
Part 2: Dockerfile Security Best Practices
Part 3: Scan Docker Images with Trivy (current)
Part 4: Runtime Container Security (next)
Conclusion
Trivy is a powerful and lightweight tool for container vulnerability scanning. By integrating Trivy into your CI/CD pipeline, you can enforce security early and prevent vulnerable images from reaching production.
Security should be automated, not manual.
FAQ
What is Trivy used for?
Trivy is used to scan container images, filesystems, and repositories for vulnerabilities and misconfigurations.
Can Trivy be used in CI/CD pipelines?
Yes, Trivy integrates easily with Jenkins, GitHub Actions, and other CI/CD tools.
Does Trivy scan application dependencies?
Yes, it detects vulnerabilities in OS packages and language-specific dependencies.
How do I fail a pipeline using Trivy?
Use the --exit-code 1 flag with severity filters like HIGH or CRITICAL.
