scanning-docker-images-with-trivy

star 2

Trivy is a comprehensive open-source vulnerability scanner by Aqua Security that detects vulnerabilities in OS packages, language-specific dependencies, misconfigurations, secrets, and license violati

oyi77 By oyi77 schedule Updated 6/8/2026
play_arrow Run Skill in Manus View GitHub

name: scanning-docker-images-with-trivy description: Trivy is a comprehensive open-source vulnerability scanner by Aqua Security that detects vulnerabilities in OS packages, language-specific dependencies, misconfigurations, secrets, and license violati domain: cybersecurity subdomain: container-security tags:

  • containers
  • docker
  • security
  • trivy
  • vulnerability-scanning version: '1.0' author: mahipal license: Apache-2.0 nist_csf:
  • PR.PS-01
  • PR.IR-01
  • ID.AM-08
  • DE.CM-01

Scanning Docker Images with Trivy

Overview

Trivy is a comprehensive open-source vulnerability scanner by Aqua Security that detects vulnerabilities in OS packages, language-specific dependencies, misconfigurations, secrets, and license violations within container images. It integrates into CI/CD pipelines and supports multiple output formats including SARIF, CycloneDX, and SPDX.

When to Use

  • When conducting security assessments that involve scanning docker images with trivy
  • When following incident response procedures for related security events
  • When performing scheduled security testing or auditing activities
  • When validating security controls through hands-on testing

Prerequisites

  • Docker Engine 20.10+
  • Trivy v0.50+ installed
  • Internet access for vulnerability database updates
  • Container registry credentials (for private registries)

Core Concepts

This section covers core concepts for scanning docker images with trivy.

  • Ensure all prerequisites are met before proceeding
  • Follow the documented workflow steps in sequence
  • Record results and any anomalies encountered during this phase

Scanner Types

Scanner Flag Detects
Vulnerability --scanners vuln CVEs in OS packages and libraries
Misconfiguration --scanners misconfig Dockerfile/K8s manifest misconfigs
Secret --scanners secret Hardcoded passwords, API keys, tokens
License --scanners license Software license compliance issues

Severity Levels

  • CRITICAL: CVSS 9.0-10.0 - Immediate action required
  • HIGH: CVSS 7.0-8.9 - Fix before production deployment
  • MEDIUM: CVSS 4.0-6.9 - Plan remediation
  • LOW: CVSS 0.1-3.9 - Accept or fix opportunistically
  • UNKNOWN: Unscored - Evaluate manually

Vulnerability Database

Trivy uses multiple vulnerability databases:

  • NVD (National Vulnerability Database)
  • Red Hat Security Data
  • Alpine SecDB
  • Debian Security Tracker
  • Ubuntu CVE Tracker
  • Amazon Linux Security Center
  • GitHub Advisory Database

Workflow

  1. Prepare the environment — ensure write-blocker is connected and test workstation is ready
  2. Document the source — record device serial, model, and pre-acquisition hash
  3. Acquire the image — use the appropriate tool with hash verification enabled
  4. Verify integrity — compare source and image hashes; document any discrepancies
  5. Analyze and report — perform the analysis and document findings with chain of custody

Step 1: Install Trivy

# Linux (apt)
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update && sudo apt-get install trivy

# macOS
brew install trivy

# Docker
docker pull aquasecurity/trivy:latest

Step 2: Basic Image Scanning

# Scan a public image
trivy image python:3.12-slim

# Scan with severity filter
trivy image --severity CRITICAL,HIGH nginx:latest

# Ignore unfixed vulnerabilities
trivy image --ignore-unfixed alpine:3.19

# Scan local image
docker build -t myapp:latest .
trivy image myapp:latest

# Scan from tar archive
docker save myapp:latest -o myapp.tar
trivy image --input myapp.tar

Step 3: Advanced Scanning Options

# All scanners (vuln + misconfig + secret + license)
trivy image --scanners vuln,misconfig,secret,license myapp:latest

# Generate SBOM in CycloneDX format
trivy image --format cyclonedx --output sbom.cdx.json myapp:latest

# Generate SBOM in SPDX format
trivy image --format spdx-json --output sbom.spdx.json myapp:latest

# JSON output for programmatic processing
trivy image --format json --output results.json myapp:latest

# SARIF output for GitHub Security tab
trivy image --format sarif --output results.sarif myapp:latest

# Template-based output
trivy image --format template --template "@contrib/html.tpl" --output report.html myapp:latest

# Scan specific layers only
trivy image --list-all-pkgs myapp:latest

Step 4: Scanning Kubernetes Manifests

# Scan Dockerfile for misconfigurations
trivy config Dockerfile

# Scan Kubernetes manifests
trivy config k8s-deployment.yaml

# Scan Helm charts
trivy config ./helm-chart/

# Scan Terraform files
trivy config ./terraform/

Step 5: CI/CD Integration

# GitHub Actions
name: Trivy Container Scan
on: push

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Build image
        run: docker build -t myapp:${{ github.sha }} .

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: myapp:${{ github.sha }}
          format: sarif
          output: trivy-results.sarif
          severity: CRITICAL,HIGH
          exit-code: 1

      - name: Upload Trivy scan results
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: trivy-results.sarif

      - name: Generate SBOM
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: myapp:${{ github.sha }}
          format: cyclonedx
          output: sbom.cdx.json

# GitLab CI
trivy-scan:
  stage: security
  image:
    name: aquasecurity/trivy:latest
    entrypoint: [""]
  script:
    - trivy image --exit-code 1 --severity CRITICAL,HIGH
        --format json --output gl-container-scanning-report.json
        $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
  artifacts:
    reports:
      container_scanning: gl-container-scanning-report.json

Step 6: Policy Enforcement with .trivyignore

# .trivyignore - Ignore specific CVEs with expiry
# Accepted risk: low-impact vulnerability in dev dependency
CVE-2023-12345 exp:2025-06-01

# False positive: not exploitable in our configuration
CVE-2024-67890

# Vendor will not fix
CVE-2023-11111

Step 7: Scan Private Registry Images

# Docker Hub (uses ~/.docker/config.json)
trivy image myregistry.azurecr.io/myapp:latest

# ECR
aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin <account>.dkr.ecr.us-east-1.amazonaws.com
trivy image <account>.dkr.ecr.us-east-1.amazonaws.com/myapp:latest

# GCR
trivy image gcr.io/my-project/myapp:latest

# With explicit credentials
TRIVY_USERNAME=user TRIVY_PASSWORD=pass trivy image registry.example.com/myapp:latest

Validation Commands

# Verify Trivy installation
trivy version

# Update vulnerability database
trivy image --download-db-only

# Quick scan with table output
trivy image --severity CRITICAL python:3.12

# Verify no CRITICAL vulnerabilities
trivy image --exit-code 1 --severity CRITICAL myapp:latest
echo "Exit code: $?"  # 0 = no vulns, 1 = vulns found

When NOT to Use

  • You need to perform manual testing (use performing-* skills)
  • Task is about analyzing scan results (use analyzing-* skills)
  • You need to implement scanning tools (use implementing-* skills)
  • Task is about building scanning infrastructure (use building-* skills)
  • You don't have network access to targets
  • Task requires compliance validation (use auditing-* skills)

Red Flags

  • Performing actions without explicit written authorization from the asset owner
  • Testing against production systems without a defined scope and rules of engagement
  • Failing to use write-blockers when acquiring forensic evidence
  • Not verifying hash integrity before and after imaging
  • Modifying original evidence during analysis

Verification

  • All steps executed successfully against a test environment before production use
  • Output documented with screenshots or logs demonstrating expected behavior
  • Hash values computed and verified match between source and image
  • Chain of custody log complete with timestamps and examiner names
  • Analysis tools and versions documented for reproducibility

References

Process

  1. Analyze the task requirements
  2. Apply domain expertise
  3. Verify output quality

Anti-Rationalization

Rationalization Reality
"We are too small to be targeted" Automated attacks target everyone. Size does not matter.
"Security slows us down" A breach slows you down 100x more. Build security in from the start.
"We will fix it after launch" Vulnerabilities in production are exploited within hours. Fix before deploy.
Install via CLI
npx skills add https://github.com/oyi77/1ai-skills --skill scanning-docker-images-with-trivy
Repository Details
star Stars 2
call_split Forks 0
navigation Branch main
article Path SKILL.md
More from Creator
oyi77
oyi77 Explore all skills →