https://knightli.com/en/tags/devsecops/ Recent content in DevSecOps on KnightLi Blog Hugo -- gohugo.io en Sat, 06 Jun 2026 22:26:00 +0800 https://knightli.com/en/2026/06/06/trivy-container-kubernetes-security-scanner/ Sat, 06 Jun 2026 22:26:00 +0800 https://knightli.com/en/2026/06/06/trivy-container-kubernetes-security-scanner/ <p><code>aquasecurity/trivy</code> is a very commonly used open source security scanning tool. It can scan container images, Kubernetes, code repositories, cloud configurations, IaC, Secrets, SBOMs, vulnerabilities and misconfigurations.</p> <p>If you are doing Docker, Kubernetes or CI/CD, Trivy is basically a tool that you will encounter sooner or later.</p> <h2 id="what-can-it-scan">What can it scan? </h2><p>Trivy covers a wide range of areas:</p> <ul> <li>Container image vulnerability;</li> <li>File system and code repository;</li> <li>Kubernetes resources;</li> <li>IaC such as Terraform, Kubernetes YAML;</li> <li>Secret leaked;</li> <li>License risk;</li> <li>SBOM generation and scanning;</li> <li>Cloud resource configuration issues.</li> </ul> <p>Its value lies in unifying multiple types of security checks into one tool, rather than installing a scanner for each type of risk.</p> <h2 id="where-to-put-it">Where to put it? </h2><p>Common access points:</p> <ul> <li>Scan images during local development;</li> <li>Block high-risk vulnerabilities in CI;</li> <li>Regular scanning of mirror warehouse;</li> <li>Check YAML before Kubernetes deployment;</li> <li>Generate SBOM for audit or supply chain security use;</li> <li>Scan Secrets in the code repository regularly.</li> </ul> <p>The worst thing about a security scan is that it only runs once. A better approach is to put it into the pipeline, continue to scan, and continue to repair.</p> <h2 id="what-should-you-pay-attention-to-when-using-it">What should you pay attention to when using it? </h2><p>Trivy will tell you the risks, but will not make risk decisions for you:</p> <ul> <li>Whether the vulnerability can be exploited depends on the operating environment;</li> <li>The basic image version must be upgraded regularly;</li> <li>Blocking strategies can be set for high-risk vulnerabilities;</li> <li>Low-risk and false alarms should be managed by exception;</li> <li>The secret must be rotated immediately after Secret is hit;</li> <li>SBOM is not a compliance decoration and must be able to trace the source of dependencies.</li> </ul> <p>Don’t treat scan reports as KPIs. What’s really valuable is repairing closed loops.</p> <h2 id="summary">Summary </h2><p>Trivy is a very practical knife in DevSecOps. It is not complicated, but has wide coverage, and is suitable for gradual access from personal projects to enterprise assembly lines.</p> <p>If you are deploying containers or Kubernetes services, you should at least include Trivy in your build and release process.</p> <h2 id="reference-sources">Reference sources </h2><ul> <li><a class="link" href="https://github.com/aquasecurity/trivy" target="_blank" rel="noopener" >aquasecurity/trivy - GitHub</a></li> </ul>