Back to Scaling Containers guides

Trivy Explained: Image, Filesystem, and IaC Security Scanning

Stanley Ulili
Updated on February 22, 2026

In modern software development, containers are the default unit of packaging and deployment. They provide portability, reproducibility, and scalability. But they also expand your attack surface. A widely cited industry report claimed that 87% of container images contain high or critical vulnerabilities, a statistic that highlights how common inherited risk can be.

The deeper issue is that most vulnerabilities are silent. Your build succeeds. Your tests pass. Your container starts without errors. Everything looks fine, until it is not. A vulnerable base image or outdated dependency can become the entry point an attacker needs.

This is where automated scanning becomes essential. Trivy is an open-source security scanner designed to detect vulnerabilities, misconfigurations, and secrets across containers, repositories, and infrastructure as code. Instead of treating security as a final checkpoint, Trivy makes it something you can continuously verify.

The container supply chain problem

When you deploy a container image, you are not shipping just your code. You are inheriting:

  • A base operating system such as alpine or ubuntu
  • System libraries installed via a package manager
  • Language runtimes
  • Application dependencies from external registries

A vulnerability in any of these layers becomes your vulnerability.

A news article from Infosecurity Magazine with the headline "Researchers Claim High-Risk Vulnerabilities Found in 87% of All Container Images."

This is the essence of software supply chain risk. You are trusting every upstream maintainer in your dependency graph. New Common Vulnerabilities and Exposures, or CVEs, are published daily. Manually tracking them is unrealistic.

That is why DevSecOps emphasizes “shifting left.” Security checks should run early and often, not just before deployment. Trivy helps operationalize that principle.

What makes Trivy different

Trivy is an open-source scanner created by Aqua Security and widely adopted across the ecosystem. It is often described as an “all-in-one” tool because of its breadth.

The official Trivy website, describing it as "The All-in-One Security Scanner" for finding vulnerabilities, misconfigurations, and more across various artifacts.

Its core strengths include:

  • Container image scanning for OS packages and application dependencies
  • Filesystem scanning for entire repositories
  • Git repository scanning directly from remote sources
  • Infrastructure as Code scanning for Dockerfiles, Terraform, CloudFormation, and Kubernetes YAML
  • Secret detection for accidentally committed credentials
  • CI/CD friendly behavior with policy enforcement via exit codes

Most importantly, Trivy is designed for automation. It works just as well in a local terminal as it does inside a pipeline.

Image scanning with trivy image

One of the most common use cases is scanning a container image for vulnerabilities. Trivy can be run directly via its official container image.

 
docker run --rm aquasec/trivy image --severity HIGH,CRITICAL nginx:alpine

Key details in this command:

  • --rm removes the container after execution
  • image selects image scanning mode
  • --severity HIGH,CRITICAL filters the output to the most urgent issues
  • nginx:alpine is the scan target

Trivy downloads its vulnerability database, analyzes the image layers, and prints a structured report.

For nginx:alpine, the result at the time of the original example was clean.

The summary report table from the Trivy scan, showing the nginx\:alpine target with 0 vulnerabilities and 0 secrets found.

A typical vulnerability table includes:

  • Library
  • Vulnerability ID such as CVE-2023-44487
  • Severity
  • Installed version
  • Fixed version

The installed and fixed versions are especially useful because they tell you exactly what to upgrade to resolve the issue.

Enforcing policy with exit codes

Reading reports is helpful. Enforcing policy is more powerful.

Trivy can return a non-zero exit code when it detects vulnerabilities that match your criteria. In CI systems, a non-zero exit code fails the job.

 
docker run --rm aquasec/trivy image --exit-code 1 --severity CRITICAL nginx:1.21.0

The critical addition is:

  • --exit-code 1

This means if at least one CRITICAL vulnerability is found, the process exits with code 1. In a CI pipeline, that blocks the build automatically.

The modified Trivy command, highlighting the addition of the --exit-code 1 flag.

This mechanism turns Trivy from a reporting tool into a security gate. Instead of relying on manual review, the pipeline enforces your risk threshold.

Misconfiguration scanning with trivy config

Vulnerabilities are not the only risk. Misconfigurations can create insecure defaults even when dependencies are patched.

Consider this example Dockerfile:

Dockerfile
FROM ubuntu:latest

EXPOSE 22

MAINTAINER admin@admin.local

RUN apt-get update && apt-get install -y openssh-server

This file includes several problematic patterns:

  • Using the latest tag instead of a pinned version
  • Exposing SSH inside a container
  • Using a deprecated MAINTAINER instruction

Trivy can analyze configuration files using config mode:

 
docker run --rm -v $(pwd):/project aquasec/trivy config --severity HIGH,CRITICAL /project

The -v $(pwd):/project flag mounts your current directory into the container so Trivy can scan it.

The output highlights misconfigurations along with identifiers and explanations.

The Trivy report summary for the Dockerfile scan, showing 4 misconfigurations found.

This allows you to catch risky patterns before the image is even built.

Repository-wide scanning with trivy fs

Projects rarely consist of a single Dockerfile. You typically have:

  • package.json or go.mod
  • Kubernetes YAML
  • Terraform files
  • CI configurations
  • Environment files

The filesystem scanner analyzes an entire directory tree.

 
docker run --rm -v $(pwd):/project aquasec/trivy fs --severity HIGH,CRITICAL /project

This mode detects:

  • Dependency vulnerabilities
  • Infrastructure misconfigurations
  • Hardcoded secrets

The summary report from a Trivy filesystem scan, showing results for different targets like a go.mod file and a postee.yaml file within the same repository.

The result is a consolidated view of your repository’s security posture.

Making Trivy part of your workflow

Trivy is most effective when it becomes routine rather than occasional.

Common integration patterns include:

  • Local scanning during development
  • Pull request checks in CI
  • Cluster-wide scanning in Kubernetes using an operator
  • Editor integrations for immediate feedback

Because Trivy supports exit codes, severity filtering, and multiple scan targets, it adapts to different enforcement strategies. Some teams block on CRITICAL only. Others block on both HIGH and CRITICAL. The tooling remains consistent.

Final thoughts

Containerized and cloud-native systems introduce significant supply chain complexity. Manual security review cannot scale to modern dependency graphs. Automated scanning is the only realistic solution.

Trivy stands out because it is:

  • Comprehensive
  • Fast
  • Open source
  • Automation-friendly

By scanning images, infrastructure as code, and entire repositories, you gain early visibility into vulnerabilities and misconfigurations. By enforcing exit codes in CI, you transform visibility into prevention.

Security becomes part of your development lifecycle, not a last-minute audit.

Got an article suggestion? Let us know
Next article
Exploring Podman: A More Secure Docker Alternative
This article explore Podman's features and benefits, comparing it to Docker and describing a step-by-step migration guide
Licensed under CC-BY-NC-SA

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.