Container Security Scanning with Trivy
Trivy scans container images for vulnerabilities, misconfigurations, and secrets. Catch security issues before deploying to production.
Why Scan Container Images?
Container images contain OS packages, libraries, and application dependencies. Each of these can have known vulnerabilities (CVEs). An unscanned image might contain critical security holes.
What Is Trivy?
Trivy is an open-source vulnerability scanner by Aqua Security. It scans:
Running a Scan
trivy image nginx:latest
Output shows:
What Trivy Detects
Vulnerabilities
Known CVEs in OS packages and language-specific dependencies.
Misconfigurations
Secrets
Integration
CI/CD
Scan images in your build pipeline. Fail the build if critical vulnerabilities are found.
Pre-Deployment
trivy image myapp:latest --severity CRITICAL,HIGH --exit-code 1
Exit code 1 if critical or high vulnerabilities found.
Scheduled Scans
Scan running containers periodically. New CVEs are discovered daily — an image that was clean yesterday might have a critical CVE today.
Best Practices
Use Minimal Base Images
Alpine and distroless images have fewer packages = fewer vulnerabilities.
Update Regularly
New image versions fix vulnerabilities. Update your containers when patches are available.
Don't Ignore Findings
Critical and high severity vulnerabilities should be addressed. Medium can usually wait for the next regular update.
Scan in CI/CD
Catch vulnerabilities before they reach production.
On TinyPod
Run Trivy as a one-off scan:
podman run aquasec/trivy image your-app:latest
Or schedule regular scans of all your running containers.