Trivy Container Scanning

Trivy is the fastest way to scan images.

Step 1: Install

brew install trivy or curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh

Step 2: Scan an image

• trivy image nginx:latest, outputs CVEs by severity.
• Takes 30-60s on first run; faster after.

Step 3: Read the report

The report is structured noise until you triage by severity and fixability; do that and it becomes a backlog.

• Critical / High first. These are exploit-grade; everything else waits.
• Per-CVE columns. Each row gives package, installed version, fixed version, and the CVE link to the vendor advisory.
• Fixed vs unfixed. Filter to --ignore-unfixed when you need an actionable list; you cannot patch what has no fix.
• JSON output. --format json for machine triage; pipe into your vulnerability tracker rather than copy-pasting.

Step 4: CI integration

Scanning is only useful if it gates the pipeline. Wire it into CI so a critical CVE blocks the build, not a Slack message.

• Gate. trivy image $IMAGE_TAG --severity CRITICAL,HIGH --exit-code 1 fails the build on findings at or above the threshold.
• Cache. Cache the Trivy DB between CI runs; the first download is the slow part.
• Allowlist. Use .trivyignore for accepted-risk CVEs with a comment naming the ticket and review date.
• Output to PR. SARIF output uploaded to GitHub code-scanning surfaces findings in the PR review tab.

Antipatterns

• Scanning latest tag forever. Pin and rescan on update.
• Failing CI on every Medium. Engineers learn to skip.
• Scanning without remediation tracking. Findings rot.

What to do this week

Three moves. (1) Run the tutorial end-to-end on your own laptop / sandbox. (2) Apply the pattern to one production workload. (3) Document the variations you needed; share with the team.