DEV Community

Alex Spinov
Alex Spinov

Posted on

Trivy Has a Free API: Vulnerability Scanning for Containers, IaC, and Code

#security #docker #kubernetes #devops

Why Trivy Is the Default Scanner

Trivy by Aqua Security scans everything — container images, filesystems, git repos, Kubernetes clusters, IaC files, and even your SBOM. One tool, all security checks.

Quick Start 

# Install
brew install trivy
# or
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh

# Scan a container image
trivy image python:3.11-slim

# Scan current directory
trivy fs .

# Scan Kubernetes cluster
trivy k8s --report summary
Enter fullscreen mode Exit fullscreen mode

Scan Container Images 

# Scan with severity filter
trivy image --severity HIGH,CRITICAL nginx:latest

# JSON output for CI/CD
trivy image --format json -o results.json node:20-alpine

# Ignore unfixed vulnerabilities
trivy image --ignore-unfixed alpine:3.19
Enter fullscreen mode Exit fullscreen mode

Scan IaC (Terraform, CloudFormation, Dockerfile) 

# Scan Terraform files
trivy config ./terraform/

# Scan Dockerfile
trivy config --policy-namespaces user ./Dockerfile

# Scan Helm charts
trivy config ./charts/my-app/
Enter fullscreen mode Exit fullscreen mode

Example finding:

Dockerfile (dockerfile)
========================
Tests: 23 (SUCCESSES: 20, FAILURES: 3)
Failures: 3 (HIGH: 1, MEDIUM: 2)

HIGH: Specify a tag in the FROM statement
  RUN: FROM python
  Message: When using a FROM statement, use a specific tag
Enter fullscreen mode Exit fullscreen mode

CI/CD Integration (GitHub Actions) 

name: Security Scan
on: push
jobs:
  trivy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Trivy vulnerability scan
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: fs
          severity: HIGH,CRITICAL
          exit-code: 1
Enter fullscreen mode Exit fullscreen mode

Generate SBOM 

# CycloneDX format
trivy image --format cyclonedx -o sbom.json nginx:latest

# SPDX format
trivy image --format spdx-json -o sbom.spdx.json nginx:latest
Enter fullscreen mode Exit fullscreen mode

Key Features

  • All-in-one — images, filesystem, repo, K8s, IaC, SBOM
  • Fast — first scan <10 sec on most images
  • Offline mode — download DB once, scan air-gapped
  • Zero config — works out of the box
  • CNCF project — not going anywhere

Resources

Need to scan and extract vulnerability data from container registries at scale? Check out my Apify tools or email spinov001@gmail.com for custom security data extraction.

Top comments (0)