loading
loading
Containers
Trivy scanning for container images: vulnerabilities, secrets, misconfigurations, and licenses.
overview
trivy-image-scan runs Aqua Security's Trivy against container images from any registry or a local list. It reads each image, unpacks the layers, and reports known vulnerabilities in the OS packages and application libraries inside. Beyond CVEs, its security checks extend to secrets baked into an image, misconfigurations, and license problems, so one scan covers several classes of supply-chain risk.
It is the general-purpose Trivy node, with the full set of controls. Filter by severity, restrict vulnerability types, ignore unfixed issues, and set an exit code to gate a build. Output formats run from table and JSON to SARIF, CycloneDX, and SPDX, which means the same scan can feed a security dashboard or generate a software bill of materials. A trivyignore file and Rego policies let you encode exceptions and custom rules.
Use it to scan the images your pipeline builds or pulls, as a release gate or on a schedule, and route the findings into reporting downstream. On Trickest it is a Containers-category node that takes an image list and writes a folder of results.
use cases
Read an image list and report vulnerabilities in both system packages and application dependencies, so the full software stack in each image gets checked.
Extend security checks to secret and config scanning so credentials baked into a layer or insecure settings surface in the same run as the CVEs.
Emit CycloneDX or SPDX output so a scan doubles as a software bill of materials for supply-chain inventory and compliance.
Filter to high and critical and set an exit code so a pipeline fails when a serious issue appears, blocking a risky image from shipping.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| image-list | FILE | · | List of images, line by line, to scan. |
| severity | STRING | --severity | Severities to display (default UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL). |
| format | STRING | --format | Output format: table, json, sarif, cyclonedx, spdx, and more (default table). |
| security-checks | STRING | --security-checks | Issues to detect: vuln, config, secret, license (default vuln,secret). |
| vuln-type | STRING | --vuln-type | Vulnerability types to scan: os, library. |
| ignore-unfixed | BOOLEAN | --ignore-unfixed | Display only vulnerabilities that have a fix available. |
| exit-code | STRING | --exit-code | Exit code to return when vulnerabilities are found. |
| ignorefile | FILE | --ignorefile | Path to a .trivyignore file for exceptions (default .trivyignore). |
Showing key inputs. trivy-image-scan exposes 54 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| debug | BOOLEAN | --debug | debug mode |
| quiet | BOOLEAN | --quiet | suppress progress bar and log output |
| reset | BOOLEAN | --reset | remove all caches and database |
| token | STRING | --token | for authentication in client/server mode |
| trace | BOOLEAN | --trace | enable more verbose trace output for custom queries |
| config | FILE | --config | config path (default "trivy.yaml") |
| format | STRING | --format | format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table") |
| server | STRING | --server | server address in client mode |
| tf-vars | STRING | --tf-vars | specify paths to override the Terraform tfvars files |
| timeout | STRING | --timeout | timeout (default: 5m0s) |
| helm-set | STRING | --helm-set | specify Helm values (can separate values with commas: key1=val1,key2=val2) |
| insecure | BOOLEAN | --insecure | allow insecure server connections when using TLS |
| platform | STRING | --platform | set platform in the form os/arch if image is multi-platform capable |
| redis-ca | FILE | --redis-ca | redis ca file location, if using redis as cache backend |
| severity | STRING | --severity | severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") |
| template | FILE | --template | output template |
| cache-ttl | STRING | --cache-ttl | cache TTL when using redis as cache backend |
| exit-code | STRING | --exit-code | Exit code when vulnerabilities are found |
| redis-key | FILE | --redis-key | redis key file location, if using redis as cache backend |
| rekor-url | STRING | --rekor-url | [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") |
| skip-dirs | STRING | --skip-dirs | specify the directories where the traversal is skipped |
| vuln-type | STRING | --vuln-type | comma-separated list of vulnerability types (os,library) |
| compliance | STRING | --compliance | comma-separated list of what compliance reports to generate (nsa) |
| ignorefile | FILE | --ignorefile | specify .trivyignore file (default ".trivyignore") |
| image-list | FILE | · | List of images line by line to be scanned |
| redis-cert | FILE | --redis-cert | redis certificate file location, if using redis as cache backend |
| skip-files | STRING | --skip-files | specify the file paths to skip traversal |
| clear-cache | BOOLEAN | --clear-cache | clear image caches without scanning |
| config-data | FOLDER | --config-data | specify paths from which data for the Rego policies will be recursively loaded |
| helm-values | FILE | --helm-values | specify paths to override the Helm values.yaml files |
| license-full | BOOLEAN | --license-full | eagerly look for licenses in source code headers and license files |
| offline-scan | BOOLEAN | --offline-scan | do not issue API requests to identify dependencies |
| removed-pkgs | BOOLEAN | --removed-pkgs | detect vulnerabilities of removed packages (only for Alpine) |
| sbom-sources | STRING | --sbom-sources | [EXPERIMENTAL] try to retrieve SBOM from the specified sources (rekor) |
| token-header | STRING | --token-header | specify a header name for token in client/server mode (default "Trivy-Token") |
| cache-backend | STRING | --cache-backend | cache backend (e.g. redis://localhost:6379) (default "fs") |
| config-policy | FOLDER | --config-policy | specify paths to the Rego policy files directory, applying config files |
| db-repository | STRING | --db-repository | OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db") |
| file-patterns | FILE | --file-patterns | specify config file patterns |
| ignore-policy | FILE | --ignore-policy | specify the Rego file to evaluate each vulnerability |
| list-all-pkgs | BOOLEAN | --list-all-pkgs | enabling the option will output all packages regardless of vulnerability |
| secret-config | FILE | --secret-config | specify a path to config file for secret scanning (default "trivy-secret.yaml") |
| show-progress | BOOLEAN | --no-progress | suppress progress bar |
| custom-headers | STRING | --custom-headers | custom headers in client mode |
| ignore-unfixed | BOOLEAN | --ignore-unfixed | display only fixed vulnerabilities |
| skip-db-update | BOOLEAN | --skip-db-update | skip updating vulnerability database |
| dependency-tree | BOOLEAN | --dependency-tree | [EXPERIMENTAL] show dependency origin tree of vulnerable packages |
| helm-set-string | STRING | --helm-set-string | specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) |
| security-checks | STRING | --security-checks | comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret]) |
| download-db-only | BOOLEAN | --download-db-only | download/update vulnerability database but don't run a scan |
| ignored-licenses | STRING | --ignored-licenses | specify a list of license to ignore |
| policy-namespaces | STRING | --policy-namespaces | Rego namespaces |
| username-password | FILE | · | Username and password for Docker Hub registry (format username:password) |
| include-non-failures | BOOLEAN | --include-non-failures | include successes and exceptions, available with '--security-checks config' |
example
# JSON report of fixable HIGH/CRITICAL CVEs for images in a listtrivy image --severity HIGH,CRITICAL --ignore-unfixed --format json --security-checks vuln,secret --exit-code 1 example/api:1.2.3example/api:1.2.3 (alpine 3.18.4)==============================Total: 3 (HIGH: 2, CRITICAL: 1) Library Vulnerability Severity Status Installed Version Fixed Versionopenssl CVE-2023-0286 CRITICAL fixed 3.1.1-r1 3.1.2-r0curl CVE-2023-38545 HIGH fixed 8.2.1-r0 8.4.0-r0libcrypto3 CVE-2023-5363 HIGH fixed 3.1.1-r1 3.1.3-r0guidance
Use trivy-image-scan for container images from any registry or a local list, and when you want more than CVEs: secrets, misconfigurations, licenses, and SBOM output. If your images live in Amazon ECR and you want AWS login handled for you, use trivy-ecr-scan instead.
Same Trivy engine with ECR login built in. Use it when the images are stored in Amazon ECR.
Another container vulnerability scanner. Different database and output, similar role to Trivy.
A Trivy variant pinned to SARIF output for code-scanning ingestion.
faq
related
An image list feeds trivy-image-scan, which inspects each image for CVEs, secrets, and misconfigurations and writes the findings as an output.
Facts on this page come from the live Trickest tool library.