Complete Guide to Trivy: Security Scanning for Modern Applications

In today's rapidly evolving software landscape, security vulnerabilities pose significant threats to both applications and infrastructure. Trivy, developed by Aqua Security, is one of the most comprehensive and user-friendly open-source vulnerability scanners available today.

This guide provides an in-depth walkthrough of Trivy, from installation to advanced scanning techniques, helping you integrate security into your development workflow seamlessly.

---

🌟 What is Trivy?

Trivy (pronounced tree-vee) is a versatile security scanner for:

• Container images

• File systems

• Git repositories

• Virtual machine images

• Running containers

• Infrastructure as Code (IaC)

It detects vulnerabilities in:

• OS packages

• Programming language dependencies (e.g., Python, Node.js)

• IaC misconfigurations

• Hardcoded secrets

---

🚀 Key Features

• 🔍 Multi-target scanning: Images, filesystems, repos, VM images, containers

• 📦 Multi-format support: Pip, NPM, Go modules, Maven, Dockerfiles, and more

• ⚡ Fast and accurate: Intelligent matching and low false positives

• 🧪 Secret & IaC scanning: Finds hardcoded keys and config issues

• 📄 Flexible output: JSON, SARIF, HTML, table

• 🔧 CI/CD ready: Ideal for DevSecOps pipelines

• 🛠️ Zero dependencies: Just a single binary!

---

🛠️ Installation

Linux/macOS (via curl)

curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.48.0

Homebrew (macOS/Linux)

brew install trivy

Docker

docker pull aquasec/trivy:latest

Windows (Chocolatey)

choco install trivy

Verify Installation

trivy version

---

📁 Repository Scanning (with Flask Example)

Let’s use the Flask web framework to demonstrate Trivy’s source scanning capabilities.

Setup

git clone https://github.com/pallets/flask.git
cd flask

Basic Scan

trivy repo .

Trivy will detect:

• Python: requirements.txt, setup.py, poetry.lock

• Node.js: package.json, yarn.lock

• Java: pom.xml, build.gradle

• Go: go.mod

---

⚙️ Advanced Scanning Options

Scan by Severity

trivy repo --severity HIGH,CRITICAL .

Include Secret Detection

trivy repo --scanners vuln,secret .

Scan for Misconfigurations

trivy repo --scanners vuln,secret,config .

---

🧾 Output Formats

JSON

trivy repo --format json --output results.json .

HTML Report

trivy repo --format template --template "@contrib/html.tpl" --output report.html .

SARIF (GitHub integration)

trivy repo --format sarif --output results.sarif .

---

🔍 Sample Output

Target: requirements/tests.txt (pip)
Type: pip
Vulnerabilities: 2

Library     : requests
CVE         : CVE-2023-32681
Severity    : MEDIUM
Installed   : 2.28.2
Fixed       : 2.31.0
Title       : Unintended leak of Proxy-Authorization header

---

🧩 Customizing Your Scan

Ignore Vulnerabilities (.trivyignore)

CVE-2023-32681
requests
MEDIUM

Use Config File (trivy.yaml)

format: json
output: scan-results.json
severity:
  - HIGH
  - CRITICAL
scan:
  scanners:
    - vuln
    - secret

trivy repo --config trivy.yaml .

---

🔑 Secret Detection

trivy repo --scanners secret .

Example:

Target: config/database.py
Type: secrets

Category            : AsymmetricPrivateKey
Severity            : HIGH
Line                : 12
Match               : -----BEGIN PRIVATE KEY-----

---

🐳 Container Image Scanning

Basic Usage

trivy image nginx:latest
trivy image my-app:latest

Private Registry

trivy image --username myuser --password mypass registry.com/image:tag

---

Layer-wise Vulnerability Detection

trivy image --format json nginx:latest | jq '.Results[].Vulnerabilities[] | {Library: .PkgName, CVE: .VulnerabilityID, Layer: .Layer.DiffID}'

Scan Saved TAR Image

docker save nginx:latest -o nginx.tar
trivy image --input nginx.tar

---

🔐 Build Secure Docker Images

Secure Dockerfile

FROM python:3.11-slim-bullseye

RUN adduser --disabled-password --gecos '' appuser

COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

COPY . /app
WORKDIR /app
USER appuser

EXPOSE 8000
CMD ["python", "app.py"]

Scan During Build

docker build -t my-secure-app:latest .
trivy image --exit-code 1 --severity HIGH,CRITICAL my-secure-app:latest

---

Multi-stage Secure Build

FROM python:3.11 as builder
WORKDIR /app
COPY requirements.txt .
RUN pip install --user -r requirements.txt

FROM python:3.11-slim
COPY --from=builder /root/.local /root/.local
COPY . /app
WORKDIR /app
USER 1000
CMD ["python", "app.py"]

---

🌐 Remote Repository Scanning

trivy repo https://github.com/pallets/flask
trivy repo --branch main https://github.com/pallets/flask
trivy repo --tag v2.3.0 https://github.com/pallets/flask

---

🏗️ IaC Misconfiguration Scanning

trivy config ./terraform/
trivy config ./k8s-manifests/
trivy config --file-patterns dockerfile:Dockerfile .

Example (main.tf):

resource "aws_s3_bucket" "example" {
  bucket = "my-bucket"
  acl    = "public-read" # 🚨 Triggers a HIGH severity warning
}

---

📦 Running Container Scans

docker ps --format "table {{.Names}}\t{{.Image}}" | tail -n +2 | while read name image; do
    echo "Scanning container: $name ($image)"
    trivy image $image
done

---

☸️ Kubernetes Integration

Deploy a Test Workload

# demo-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: vulnerable-app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: vulnerable-app
  template:
    metadata:
      labels:
        app: vulnerable-app
    spec:
      containers:
        - name: app
          image: nginx:1.19
          ports:
            - containerPort: 80

kubectl apply -f demo-deployment.yaml
trivy image nginx:1.19

---

Trivy Operator for Continuous Scanning

kubectl apply -f https://raw.githubusercontent.com/aquasecurity/trivy-operator/main/deploy/static/trivy-operator.yaml
kubectl get pods -n trivy-system

Trivy Operator automatically:

• Scans all images in your cluster

• Generates VulnerabilityReports

• Creates ConfigAuditReports

• Provides ClusterComplianceReports

kubectl get vulnerabilityreports -A

---

🐳 Docker Compose Integration

version: '3.8'
services:
  web:
    build: .
    ports:
      - "8000:8000"
    depends_on:
      - db
  db:
    image: postgres:12
    environment:
      POSTGRES_PASSWORD: password123
    volumes:
      - db_data:/var/lib/postgresql/data

volumes:
  db_data:

Scan Images from Compose

# After building
docker-compose build
docker-compose config --services | xargs -I {} sh -c 'trivy image $(docker-compose images -q {})'

---

📚 Conclusion

Trivy is a powerful, versatile, and easy-to-use tool that fits perfectly into modern DevSecOps workflows. Whether you're scanning containers, source code, IaC, or even running Kubernetes workloads—Trivy provides comprehensive coverage with minimal configuration.

Secure early, secure often. Use Trivy. 🌐🛡️

---

Let me know if you'd like a downloadable Markdown version or cover image ideas for your post!