Video tutorial coming soon.
Scan Docker images, Kubernetes manifests, and filesystems for known CVEs, misconfigurations, and secrets — fast, accurate, and CI/CD-ready.
Grab the automated bash script from GitHub to follow along with the video.
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/security/trivy/trivy-ubuntu.sh
chmod +x trivy-ubuntu.sh
sudo bash trivy-ubuntu.shwget https://raw.githubusercontent.com/mhmdali94/Docker/main/security/trivy/trivy-ubuntu.shchmod +x trivy-ubuntu.shScript installs Trivy CLI and configures it with local vulnerability database caching for fast offline scans.
sudo bash trivy-ubuntu.shRun `trivy image nginx:latest` to scan any Docker image. Results show CVEs grouped by severity (CRITICAL, HIGH, MEDIUM, LOW).
trivy image nginx:latestAdd Trivy to your Woodpecker CI or Gitea Actions pipeline to automatically scan images on every build and fail on CRITICAL findings.
# Example Woodpecker CI step
trivy image --exit-code 1 --severity HIGH,CRITICAL myapp:latest| Port | Purpose |
|---|---|
| No ports — CLI tool, runs locally or in CI/CD pipelines | |
Trivy (by Aqua Security) is the most widely adopted open-source vulnerability scanner for containers and infrastructure-as-code. It scans Docker images, filesystem directories, Git repositories, Kubernetes clusters, and Terraform/Helm/CloudFormation files in seconds. Unlike heavy enterprise scanners, Trivy is a single binary with no server component required. It maintains its own local copy of multiple CVE databases (NVD, GitHub Advisory, OS-specific advisories) and can scan fully offline once the DB is downloaded.
Container images silently carry OS-level CVEs and outdated library versions that most developers never see. Trivy surfaces them instantly — before you push to production. It also finds hardcoded secrets and IaC misconfigurations (open S3 buckets, privileged containers, missing network policies) in the same scan. Because it is a single binary with no setup, there is no reason not to run it on every build.
Trivy is a CLI tool with no listening ports. It runs locally, in a container, or in CI/CD pipelines and communicates outbound only to download vulnerability database updates from GitHub. No firewall rules are needed. For air-gapped environments, download the database bundle manually with `trivy image --download-db-only` on an internet-connected machine and copy it to the offline system.
Grype (Anchore) is the closest alternative — similar scope, slightly different CVE DB sources. Docker Scout is built into Docker Desktop and Docker Hub but limited to Docker's ecosystem. Snyk has a wider language coverage but requires a cloud account for full features. Clair is older and more complex to self-host. For network-level scanning, pair Trivy with OpenVAS — Trivy covers containers and code while OpenVAS covers network hosts and services.
Trivy is not a network vulnerability scanner — it does not probe live services or test authentication. For scanning running hosts and network services, use OpenVAS. If you only care about a quick one-off check and do not want to install anything, Docker Scout or Snyk's free web upload may be faster. Trivy also does not replace a DAST tool (like OWASP ZAP) for testing web application logic.
PrismaTechWork provides end-to-end infrastructure services — from initial deployment and security hardening to ongoing monitoring, automated backups, and dedicated support. Whether you need a single-server setup or a multi-site network, our team ensures your infrastructure is built right, secured properly, and maintained reliably.
Trivy scans all layers of a Docker image — including the base OS layer, intermediate build layers, and the final application layer. It finds CVEs in OS packages (apt, apk, rpm) and language-specific dependencies (npm, pip, go modules, Maven, Cargo, NuGet) across every layer. This is why even a `FROM ubuntu:22.04` base image often shows dozens of OS-level CVEs.
Use the `--exit-code` and `--severity` flags together: `trivy image --exit-code 1 --severity CRITICAL your-image:tag`. This causes Trivy to exit with code 1 (build failure) only if at least one CRITICAL CVE is found. For blocking on HIGH as well: `--severity CRITICAL,HIGH`. Most CI systems (Woodpecker, GitHub Actions, GitLab CI) treat a non-zero exit code as a failed step.
Yes. For Docker Hub private repos, run `docker login` first — Trivy reuses Docker's credential store. For other registries: set `TRIVY_USERNAME` and `TRIVY_PASSWORD` environment variables, or use `--username` and `--password` flags. For AWS ECR, set standard AWS credentials — Trivy uses the AWS SDK to authenticate automatically. For Harbor, use the Harbor username and CLI secret as credentials.
Create a `.trivyignore` file in your repo root. Add one CVE ID per line (e.g., `CVE-2023-12345`) with a comment explaining why you accept it. Trivy silently skips those CVEs on every scan. Alternatively, use `--ignore-unfixed` to suppress CVEs that have no available fix yet — useful for reducing noise on base images where you are waiting for upstream patches.
Yes. Run `trivy image --format cyclonedx --output sbom.json your-image:tag` to generate a CycloneDX SBOM. Use `--format spdx-json` for SPDX format. SBOMs list every component in your image with version and license information — useful for compliance, supply chain auditing, and license reviews. You can also scan an existing SBOM file with `trivy sbom sbom.json`.
Yes — enable secret scanning with `trivy image --scanners secret your-image:tag` or `trivy fs --scanners secret .` for a directory. Trivy uses pattern matching to detect API keys, AWS credentials, private keys, passwords, and tokens. The built-in ruleset covers GitHub tokens, Stripe keys, Slack webhooks, AWS access keys, and many more. You can add custom regex rules via a config file.
Run `trivy k8s --report summary all` to scan the entire cluster — it checks node OS vulnerabilities, container image CVEs, and Kubernetes manifest misconfigurations (privileged pods, missing securityContext, exposed secrets). Use `trivy k8s --report all cluster` for detailed per-resource output. Trivy uses your current kubeconfig context, so point `kubectl` at the right cluster first.
In Harbor, go to Interrogation Services → Scanners and add Trivy (it is the default built-in scanner in Harbor 2.x+). Enable 'Scan on Push' on a project to automatically trigger a Trivy scan whenever an image is pushed. Scan results appear in the image detail view with CVE counts per severity. You can also set a vulnerability severity threshold to block image pulls if the scan fails.