DEV Community

Cover image for How to Automate Vulnerability Scans with Trivy
AddWeb Solution Pvt Ltd profile image Narendra Chauhan
Narendra Chauhan for AddWeb Solution Pvt Ltd

Posted on

How to Automate Vulnerability Scans with Trivy

#trivy #vulnerabilityscanning #devsecops #securityautomation

"Manual scanning finds yesterday’s risks, automated scanning protects tomorrow’s releases

Table of Contents

  1. Introduction
  2. What Is Trivy?
  3. Why Vulnerability Scanning Matters
  4. Key Features of Trivy
  5. Installing and Setting Up Trivy
  6. How to Run a Manual Scan
  7. Automating Vulnerability Scans in CI/CD Pipelines
  8. Integrating Trivy with Docker and Kubernetes
  9. Interesting Facts & Statistics
  10. FAQs
  11. Key Takeaways
  12. Conclusion

Introduction

As DevOps and security merge into DevSecOps, automation becomes key to maintaining secure and fast software delivery. One tool that has become essential in this space is Trivy, an open-source vulnerability scanner that detects security issues in container images, file systems, IaC (Infrastructure as Code) templates, and more.

This guide walks you through how to automate vulnerability scans using Trivy, integrate it into CI/CD pipelines, and ensure your software stays secure — without slowing down your delivery cycle.

What Is Trivy?

Trivy (by Aqua Security) is a simple yet powerful open-source vulnerability scanner.

  • Container images
  • File systems and repositories
  • Infrastructure as Code (Terraform, Helm, etc.)
  • Known vulnerabilities (CVEs)
  • Misconfigurations
  • Secret leaks
  • Software Bill of Materials (SBOMs) Trivy’s lightweight design and easy integration make it a favorite among DevOps teams looking for quick security insights.

Why Vulnerability Scanning Matters

In 2025, over 85% of security breaches are linked to vulnerabilities in third-party components.
With continuous deployment cycles, vulnerabilities can slip into production unnoticed.
Automated scanning ensures:

  • Early detection of issues
  • Compliance with security standards
  • Reduced risk of production exploits
  • Faster incident response

Key Features of Trivy

  • Wide Coverage – Scans OS packages, libraries, IaC, and Kubernetes manifests.
  • Fast & Lightweight – Uses local caching to reduce scan times.
  • Comprehensive Security – Detects CVEs, secrets, and config flaws.
  • CI/CD Ready – Easily integrates with GitHub Actions, Jenkins, GitLab CI, and others.
  • SBOM Support – Generates Software Bill of Materials in multiple formats (JSON, SPDX, CycloneDX).

Installing and Setting Up Trivy

For Linux/macOS:

  • brew install aquasecurity/trivy/trivy
  • sudo apt install trivy -y

For Docker-based:

  • docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image nginx:latest

To verify installation:

  • trivy --version

How to Run a Manual Scan

Scan a Docker image:

  • trivy image nginx:latest

Scan a local directory:

  • trivy fs .

Scan a Git repository:

  • trivy repo https://{url}

You’ll get a detailed vulnerability report with severity levels: LOW, MEDIUM, HIGH, and CRITICAL.

"Trivy turns vulnerability scanning from a task into a habit and from a habit into a safety net

Automating Vulnerability Scans in CI/CD Pipelines

Example: GitHub Actions

name: Trivy Scan
on:
  push:
    branches: [ main ]

jobs:
  trivy-scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'your-docker-image:latest'
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
Enter fullscreen mode Exit fullscreen mode

If any critical vulnerability is detected, the pipeline will fail, preventing unsafe code from deploying.

Integrating Trivy with Docker and Kubernetes

Scan a Docker Image Before Push:

  • trivy image myapp:latest

Scan Running Pods in Kubernetes:

  • trivy k8s --report summary cluster

You can even automate this using CronJobs in Kubernetes to perform daily scans and push results to Slack or email.

Interesting Facts & Statistics

  • Around 70% of organizations rely on open-source components that contain known vulnerabilities, making automated scanning essential for security. Sources :- Open-source vulnerabilities
  • Trivy supports more than 30 vulnerability databases, including major sources like GitHub Security Advisories and the NVD (National Vulnerability Database). Sources:- GitHub Security Advisories
  • A typical Trivy scan is highly efficient and can complete in under 60 seconds, making it suitable even for fast-paced CI/CD environments. Sources:- Trivy scan is highly efficient

"A container without vulnerability scanning is a locked room with an open window."

Common Issues Explained

1. Slow vulnerability scans
This usually happens when Trivy is using an outdated local cache. Refreshing the cache resolves the issue.
Solution: Run trivy --refresh to update the data.

2. False positives during scans
This problem occurs if the vulnerability database is old or outdated.
Solution: Always update the database before running scans by executing a Trivy DB update command.

3. CI/CD pipeline failures caused by Trivy
If the pipeline keeps failing during scans, it often means the severity thresholds are too strict.
Solution: Adjust the exit-code configuration or relax the severity filters to match your risk tolerance.

4. Missing or unreported CVEs
This can happen if the base image uses an OS that Trivy doesn't fully support.
** Solution:** Check the container image’s base OS for compatibility or enable debug mode using --debug to identify the issue.

Best Practices for Effective Scanning

  • Use automation early in CI/CD — catch issues before builds.
  • Regularly update the vulnerability database (trivy --download-db-only).
  • Enable SBOM reports to enhance supply chain transparency.
  • Integrate with notification tools (Slack, Teams) for quick alerts.
  • Combine Trivy with policy enforcement tools like OPA or Kyverno.

FAQs

Q1: Is Trivy free to use?
Yes, Trivy is completely open-source under the Apache 2.0 license.

Q2: How often should I scan images?
Ideally, before every deployment — or at least daily in production environments.

Q3: Can Trivy scan for secrets?
Yes, it detects secrets and sensitive credentials in code and configurations.

Q4: Does Trivy work offline?
Yes, after downloading its vulnerability database locally.

Q5: How do I export Trivy reports?
Use the -f json -o report.json flag for JSON reports or --format template for custom ones.

Key Takeaways

  • Trivy is a lightweight, powerful, and free vulnerability scanner.
  • It integrates seamlessly with CI/CD pipelines and Kubernetes.
  • Automating scans helps maintain continuous security without manual effort.
  • Regular scanning and database updates minimize false positives.
  • A proactive vulnerability management strategy ensures secure and compliant releases.

Conclusion

Security isn’t a one-time task — it’s a continuous process. By automating vulnerability scans with Trivy, DevOps teams can shift security left, identifying and fixing issues before deployment. Trivy’s speed, accuracy, and ease of integration make it one of the best tools for DevSecOps automation in 2025 and beyond. Start small, automate often, and let your pipelines protect your production.

About the Author: Narendra is a DevOps Engineer at AddWebSolution, specializing in automating infrastructure to improve efficiency and reliability.

Top comments (0)