Operations

How to use Trivy? Container, Kubernetes and repository security scanning tools

Organizing the aquasecurity/trivy project: how it scans container images, Kubernetes, code repositories, cloud configurations, IaC, Secrets, SBOMs and vulnerabilities, and is a common security tool for DevSecOps.

aquasecurity/trivy is a very commonly used open source security scanning tool. It can scan container images, Kubernetes, code repositories, cloud configurations, IaC, Secrets, SBOMs, vulnerabilities and misconfigurations.

If you are doing Docker, Kubernetes or CI/CD, Trivy is basically a tool that you will encounter sooner or later.

What can it scan?

Trivy covers a wide range of areas:

  • Container image vulnerability;
  • File system and code repository;
  • Kubernetes resources;
  • IaC such as Terraform, Kubernetes YAML;
  • Secret leaked;
  • License risk;
  • SBOM generation and scanning;
  • Cloud resource configuration issues.

Its value lies in unifying multiple types of security checks into one tool, rather than installing a scanner for each type of risk.

Where to put it?

Common access points:

  • Scan images during local development;
  • Block high-risk vulnerabilities in CI;
  • Regular scanning of mirror warehouse;
  • Check YAML before Kubernetes deployment;
  • Generate SBOM for audit or supply chain security use;
  • Scan Secrets in the code repository regularly.

The worst thing about a security scan is that it only runs once. A better approach is to put it into the pipeline, continue to scan, and continue to repair.

What should you pay attention to when using it?

Trivy will tell you the risks, but will not make risk decisions for you:

  • Whether the vulnerability can be exploited depends on the operating environment;
  • The basic image version must be upgraded regularly;
  • Blocking strategies can be set for high-risk vulnerabilities;
  • Low-risk and false alarms should be managed by exception;
  • The secret must be rotated immediately after Secret is hit;
  • SBOM is not a compliance decoration and must be able to trace the source of dependencies.

Don’t treat scan reports as KPIs. What’s really valuable is repairing closed loops.

Summary

Trivy is a very practical knife in DevSecOps. It is not complicated, but has wide coverage, and is suitable for gradual access from personal projects to enterprise assembly lines.

If you are deploying containers or Kubernetes services, you should at least include Trivy in your build and release process.

Reference sources

© 2022 - 2026 KnightLi Blog
记录并分享
Built with Hugo
Theme Stack designed by Jimmy