devops-basics

1. What is Trivy?

Overview

Trivy is the world’s most popular open-source vulnerability and misconfiguration scanner. Built by Aqua Security, it detects security issues across the entire software supply chain β€” container images, filesystems, Git repositories, Kubernetes clusters, and Infrastructure as Code.

Trivy scans for:

Trivy Architecture

                β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
                β”‚                Trivy CLI                 β”‚
                β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”β”‚
Input ─────────►│  β”‚  Scanner β”‚  β”‚      Detectors        β”‚β”‚
(image/fs/repo) β”‚  β”‚          β”‚  β”‚  - Vulnerabilities    β”‚β”‚
                β”‚  β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€  β”‚  - Misconfigurations  β”‚β”‚
                β”‚  β”‚  β”‚Parser β”‚  β”‚  - Secrets            β”‚β”‚
                β”‚  β”‚  β”‚ SBOM  β”‚  β”‚  - Licenses           β”‚β”‚
                β”‚  β””β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜β”‚
                β”‚         β”‚                                β”‚
                β”‚  β”Œβ”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚
                β”‚  β”‚  Vulnerability DB (auto-updated)    β”‚ β”‚
                β”‚  β”‚  NVD, GitHub Advisory, OSV, RedHat  β”‚ β”‚
                β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚
                β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Official Documentation

2. Prerequisites

3. Installation

Install Trivy

# macOS
brew install trivy

# Linux (Ubuntu/Debian)
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update && sudo apt-get install trivy

# Docker
docker run aquasec/trivy

# Verify
trivy --version

4. Basics of Trivy

Trivy Hello World

Scan a Container Image

# Scan an image for vulnerabilities
trivy image nginx:latest

# Scan only HIGH and CRITICAL
trivy image --severity HIGH,CRITICAL nginx:latest

# Output as JSON
trivy image --format json --output result.json nginx:latest

# Scan a local image
trivy image myapp:local

Scan a Filesystem or Repository

# Scan current directory
trivy fs .

# Scan a Git repository
trivy repo https://github.com/knqyf263/trivy-ci-test

# Scan for secrets
trivy fs --scanners secret .

# Scan IaC (Terraform, K8s manifests)
trivy config ./terraform/

Scan Kubernetes Cluster

# Scan entire cluster
trivy k8s --report summary cluster

# Scan a specific namespace
trivy k8s --namespace production --report all cluster

# Scan a specific workload
trivy k8s deployment/myapp

5. Beyond the Basics

Integrate with GitHub Actions

- name: Scan Docker image
  uses: aquasecurity/trivy-action@master
  with:
    image-ref: 'myapp:$'
    format: 'sarif'
    output: 'trivy-results.sarif'
    severity: 'CRITICAL,HIGH'

- name: Upload results to GitHub Security
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: 'trivy-results.sarif'

Generate SBOM (Software Bill of Materials)

# Generate SBOM in CycloneDX format
trivy image --format cyclonedx --output sbom.json nginx:latest

# Generate SBOM in SPDX format
trivy image --format spdx-json --output sbom.spdx.json nginx:latest

Policy as Code with Rego

# Use custom Rego policies for IaC scanning
trivy config --policy ./policies/ ./kubernetes/

Hands-On Examples

6. More

Trivy Cheatsheet

# Image scanning
trivy image <image>                           # Scan image
trivy image --severity HIGH,CRITICAL <image>  # Filter by severity
trivy image --ignore-unfixed <image>          # Skip unfixed CVEs
trivy image --format json <image>             # JSON output

# Filesystem scanning
trivy fs .                                    # Scan directory
trivy fs --scanners vuln,secret,config .     # All scanners

# Config/IaC scanning
trivy config ./                               # Scan IaC files

# Kubernetes
trivy k8s cluster --report summary           # Cluster summary