Container Security Scanning with Trivy

Container Security Scanning with Trivy

Trivy is a comprehensive security scanner that detects vulnerabilities in container images, file systems, and infrastructure-as-code configurations. Integrating Trivy into your workflow on your Breeze helps catch security issues before deployment.

Installation

sudo apt install -y wget apt-transport-https
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo "deb https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee /etc/apt/sources.list.d/trivy.list
sudo apt update
sudo apt install trivy

Scan a Container Image

trivy image nginx:latest
trivy image --severity HIGH,CRITICAL my-app:v1.2.3

Scan Your Project Files

trivy fs --security-checks vuln,config /path/to/project

CI/CD Integration

Add Trivy as a build step to block deployments with critical vulnerabilities:

# Exit with error if CRITICAL vulns found
trivy image --exit-code 1 --severity CRITICAL my-app:latest

# Generate JSON report
trivy image --format json --output report.json my-app:latest

Scanning Best Practices

• Scan images in CI before pushing to your registry
• Set severity thresholds -- block CRITICAL, warn on HIGH
• Scan base images regularly for newly discovered vulnerabilities
• Use .trivyignore to suppress accepted false positives
• Enable the SBOM (Software Bill of Materials) output for compliance

Scheduled Scanning

# Cron job to scan all local images nightly
0 2 * * * trivy image --format json --output /var/log/trivy/scan-$(date +\%F).json my-app:latest

Regular scanning ensures your Breeze deployments remain free of known vulnerabilities.