Set Up Trivy

Image scanning.

Overview

Setting up Trivy brings container image scanning into the development workflow. Trivy scans containers, IaC, and dependencies for vulnerabilities; the install enables a CI-gated security posture without proprietary licensing.

• Image scanning. CVE detection in container images; catches OS-level vulnerabilities the application code never sees.
• IaC scanning. Terraform, CloudFormation, Kubernetes manifests; catches misconfiguration before it ships.
• Dependency scanning. Lockfile vulnerability detection; catches supply-chain CVEs in transitive dependencies.
• SBOM generation plus CI integration. Software Bill of Materials supports compliance; standard exit codes and JSON output match automation.

The approach

The practical approach: CI integration on every PR, severity thresholds tuned to risk, registry scanning continuous, suppressions documented, SBOM per release. The team’s discipline produces real security posture instead of unread scan output.

• CI integration. Trivy runs on every PR; catches regressions early before merge.
• Severity thresholds. Block CRITICAL and HIGH; warn on MEDIUM; matches risk to the gate behaviour.
• Registry scanning. Scan images in registry continuously; catches new CVEs in already-shipped images.
• Suppressions documented plus SBOM generation. .trivyignore for accepted exposures; SBOM per release supports compliance.

Why this compounds

Trivy discipline compounds across releases. Each scan reduces risk; the team’s supply-chain hygiene grows; new services inherit the scanning patterns from day one.

• Reduced supply-chain risk. Known CVEs caught early; the dependency vulnerability surfaces before it reaches production.
• Better release safety. Vulnerable images blocked; the gate stops the regression at PR rather than at incident.
• Compliance support. SBOM matches enterprise frameworks; opens markets that require supply-chain attestation.
• Institutional knowledge. Each scan teaches dependency patterns; the team’s supply-chain muscle grows.

Setting up Trivy is a security investment that pays off across years. Nova AI Ops integrates with security telemetry, surfaces patterns, and supports the team’s supply-chain discipline.