Scanning Containers with Trivy in CI/CD

When to Use

• When building Docker container images in CI/CD and needing automated vulnerability scanning before registry push
• When establishing quality gates that prevent images with critical or high CVEs from reaching production
• When compliance requirements mandate vulnerability scanning of all container images before deployment
• When scanning IaC files (Dockerfiles, Kubernetes manifests) alongside container image scanning
• When needing a single tool to scan OS packages, language-specific dependencies, and misconfigurations

Do not use for runtime container security monitoring (use Falco), for scanning running containers in production (use runtime agents), or when only scanning application source code without containerization (use SAST tools).

Prerequisites

• Trivy CLI installed (v0.50+) or access to aquasecurity/trivy-action GitHub Action
• Docker daemon available in CI/CD for building and scanning images
• Container registry credentials for pulling base images and pushing scanned images
• Trivy vulnerability database accessible (downloaded automatically or cached)