Tools Practical By Samson Tanimawo, PhD Published Nov 27, 2025 4 min read

trivy for Container Image Scanning

trivy scans images for CVEs.

Basic usage

trivy image registry/repo:tag scans a container image. Reports CVEs by severity, fixed versions, and library context.

trivy fs ./ scans a local filesystem or git repo for vulnerabilities. Useful for IaC and source code scanning.

trivy config ./ scans Terraform, Kubernetes manifests, and Dockerfiles for misconfigurations.

Pre-build scan: trivy on the Dockerfile and dependencies. Catches issues before image build.

Post-build scan: trivy on the built image. Comprehensive view including base image vulnerabilities.

Severity gates: fail the build on critical or high CVEs. Configurable thresholds; severity escape valves for known-not-applicable issues.

.trivyignore file: list CVEs to ignore. Used for false positives or accepted-risk vulnerabilities.

VEX (Vulnerability Exchange) attestations: structured way to mark CVEs as not-applicable. Better than .trivyignore for compliance.

Periodic review of ignores. CVEs that were not-applicable last quarter may apply this quarter as the codebase evolves.

Trivy server mode: a long-running scanner that integrates with registries. ECR, Harbor, GHCR support.

Pull-on-push scanning: registry triggers scan on every image push. Results visible in registry UI.

Cached scans: trivy database is cached locally and updated periodically. Avoids redundant work for the same image layer.

Snyk: commercial; richer remediation suggestions; integrates with developer workflow tools.

Grype (Anchore): similar feature set; different vulnerability database. Some teams run both for coverage.

Trivy advantages: open source; broad scanner support (images, IaC, code, Kubernetes); fast updates.