Docs / Security / How to Use Trivy to Scan Container Images for Vulnerabilities

How to Use Trivy to Scan Container Images for Vulnerabilities

By Admin · Mar 15, 2026 · Updated Apr 24, 2026 · 216 views · 2 min read

Trivy is a comprehensive security scanner that checks container images, filesystems, and code repositories for known vulnerabilities, misconfigurations, and exposed secrets. It is fast, easy to use, and integrates well with CI/CD pipelines.

Installation

# Ubuntu/Debian
sudo apt install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | \
  sudo tee /etc/apt/sources.list.d/trivy.list
sudo apt update && sudo apt install trivy

# Or use Docker
docker run --rm aquasec/trivy image nginx:latest

Scanning Container Images

# Scan a Docker image
trivy image nginx:latest

# Scan with severity filter
trivy image --severity HIGH,CRITICAL nginx:latest

# Scan and fail on critical vulnerabilities (for CI/CD)
trivy image --exit-code 1 --severity CRITICAL nginx:latest

# Scan a locally built image
docker build -t myapp:latest .
trivy image myapp:latest

# Ignore unfixed vulnerabilities
trivy image --ignore-unfixed nginx:latest

Scanning Filesystems

# Scan your server filesystem
sudo trivy filesystem /

# Scan a specific directory
trivy filesystem /var/www/myapp

# Scan for secrets (API keys, passwords in code)
trivy filesystem --scanners secret /var/www/myapp

Scanning Code Repositories

# Scan a Git repository
trivy repo https://github.com/yourname/yourapp

# Scan for misconfigurations (Dockerfile, Kubernetes, Terraform)
trivy config ./

# Scan for license compliance issues
trivy image --scanners license nginx:latest

CI/CD Integration

# GitHub Actions example
name: Security Scan
on: [push, pull_request]
jobs:
  trivy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Build image
        run: docker build -t myapp:${{ github.sha }} .
      - name: Trivy vulnerability scan
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: myapp:${{ github.sha }}
          format: table
          exit-code: 1
          severity: CRITICAL,HIGH

Output Formats

# Table (default, human-readable)
trivy image nginx:latest

# JSON (for programmatic processing)
trivy image -f json -o results.json nginx:latest

# SARIF (for GitHub Security tab)
trivy image -f sarif -o results.sarif nginx:latest

# HTML report
trivy image -f template --template "@/usr/share/trivy/templates/html.tpl" \
  -o report.html nginx:latest

Best Practices

  1. Scan images before deploying to production
  2. Integrate Trivy into your CI/CD pipeline with exit-code 1 for critical issues
  3. Use minimal base images (Alpine, distroless) to reduce the attack surface
  4. Rebuild images regularly to pick up security patches
  5. Scan both OS packages and application dependencies

Was this article helpful?

Related Articles