Trivy Practice
Exercises
Exercise 1: Scan and Fix a Container Image
- Scan
python:3.9 for CRITICAL vulnerabilities
- Run:
trivy image --severity CRITICAL python:3.9
- Note the CVEs found
- Scan
python:3.12-slim — compare the results
- Understand why using minimal/newer base images reduces your attack surface
Exercise 2: IaC Misconfiguration Scanning
- Create a Terraform file defining an S3 bucket with public access enabled
- Scan it with:
trivy config ./
- Note the misconfigurations flagged (ACL, versioning, encryption)
- Fix each finding and re-scan until it passes
Goal: Practice secure IaC development with fast feedback
Exercise 3: Integrate Trivy in GitHub Actions
- Create a
Dockerfile for a simple Node.js app
- Add a GitHub Actions workflow that:
- Builds the Docker image
- Scans it with Trivy
- Fails the build if CRITICAL CVEs are found
- Uploads SARIF results to GitHub Security tab
- Intentionally use an older base image and observe the pipeline fail
Reference: https://github.com/aquasecurity/trivy-action
Exercise 4: Generate and Validate an SBOM
- Pull an image:
docker pull redis:7
- Generate a CycloneDX SBOM:
trivy image --format cyclonedx --output sbom.json redis:7
- Inspect the SBOM to list all components
- Use the SBOM to scan for vulnerabilities:
trivy sbom sbom.json
Goal: Understand Software Bill of Materials in supply chain security
Exercise 5: Kubernetes Cluster Security Audit
- If you have a running Kubernetes cluster (minikube/kind), run:
trivy k8s --report summary cluster
- Review findings by category (vulnerabilities, misconfigurations)
- Pick one HIGH finding and research how to fix it
- Apply the fix and re-run to confirm remediation
Reference: https://trivy.dev/latest/docs/target/kubernetes/