Legacy Haven University

Lab: Securing Docker Images with Trivy Automation

Vulnerabilities in container images expose organizations to supply chain attacks and runtime exploits. Trivy detects these issues early by scanning for known vulnerabilities, misconfigurations, secrets, and licenses in Docker images and their dependencies. Security teams integrate Trivy into CI/CD pipelines to enforce secure builds and block vulnerable images from reaching production.

Prerequisites

Install Docker on your workstation. Verify with docker –version. Install Trivy via the official binary or as a Docker container. For the binary, download the latest release from the Aqua Security GitHub repository and add it to your PATH. Create a sample project directory with a basic Dockerfile.

Step 1: Build a Test Docker Image

Navigate to your project directory. Create a Dockerfile that pulls a base image known to contain vulnerabilities for demonstration:

dockerfile

FROM python:3.9-slim

WORKDIR /app
COPY . .

CMD ["python", "--version"]

Build the image:

Bash

docker build -t myapp:v1 .

This command layers the base image and your application code into a new artifact.

Step 2: Run a Manual Trivy Scan

Execute Trivy against the local image to surface vulnerabilities:

Bash

trivy image myapp:v1

Trivy pulls the vulnerability database if needed, then analyzes OS packages, application dependencies, and image configuration. Review the output table. It lists severity levels (CRITICAL, HIGH, MEDIUM, LOW), CVE identifiers, package names, installed versions, and fixed versions where available. Focus first on CRITICAL and HIGH findings, as attackers actively exploit these.

Filter results to prioritize actionable issues:

Bash

trivy image --severity CRITICAL,HIGH myapp:v1

Use –exit-code 1 to make the scan fail on severe vulnerabilities, which proves essential for automation:

Bash

trivy image --severity CRITICAL,HIGH --exit-code 1 myapp:v1

Step 3: Interpret Trivy Results

Trivy categorizes findings across scanners:

  • vuln: Identifies CVEs in OS and language-specific packages.
  • misconfig: Detects insecure Dockerfile directives or runtime settings.
  • secret: Uncovers hardcoded credentials.
  • license: Flags problematic open-source licenses.

For each vulnerability, cross-reference the fixed version and apply updates in your Dockerfile or dependency files. Rebuild and rescan iteratively until the image passes your policy thresholds. Trivy also generates reports in multiple formats:

Bash

trivy image --format json --output results.json myapp:v1
trivy image --format table --output report.txt --severity HIGH,CRITICAL myapp:v1

Step 4: Automate Scans in CI/CD Pipelines

Embed Trivy into your workflow to shift security left. Here is a GitHub Actions example:

YAML

name: Trivy Security Scan

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

jobs:
  build-and-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Build Docker image
        run: docker build -t myapp:${{ github.sha }} .

      - name: Run Trivy scan
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'myapp:${{ github.sha }}'
          format: 'table'
          exit-code: '1'
          severity: 'CRITICAL,HIGH'

This workflow builds the image on every push or PR, scans it, and fails the pipeline if critical or high vulnerabilities exist. Adapt the logic for GitLab CI, Jenkins, or Azure DevOps by invoking the trivy CLI in equivalent pipeline stages.

For local development, create a Makefile or script:

makefile

scan:
	trivy image --severity CRITICAL,HIGH --exit-code 1 myapp:v1

Step 5: Remediate and Harden Images

Address findings systematically: Update base images to minimal, distroless, or hardened variants (e.g., python:3.9-slim to a more recent secure tag or Chainguard image). Pin dependency versions and run pip install –upgrade where safe. Minimize image layers and remove build tools in final stages with multi-stage builds. Scan the Dockerfile itself for misconfigurations:

Bash

trivy config .

Enable Trivy cache for faster repeated scans:

Bash

trivy image --cache-dir /path/to/cache myapp:v1

Step 6: Enforce Policies and Continuous Monitoring

Define severity thresholds and integrate Trivy with admission controllers like Kyverno or OPA Gatekeeper in Kubernetes. Schedule periodic rescans of registry images with Trivy in cron jobs or dedicated pipeline triggers. Generate SBOMs for compliance:

Bash

trivy image --format cyclonedx --output sbom.cdx myapp:v1

Monitor Trivy updates regularly, as new vulnerability data arrives daily.

Operational Best Practices

Run Trivy in CI/CD on every build and before deployment. Combine it with runtime tools like Falco for defense-in-depth. Treat base image updates as routine maintenance, not one-off events. Document scan results in your security dashboard and track remediation velocity. Automate notifications for new critical findings via webhooks.

Master Trivy and you establish a robust container security posture that aligns with CAS-005 principles of vulnerability management, secure configuration, and supply chain risk mitigation. Practice this lab end-to-end, then extend it to your production images. Secure builds compound into resilient deployments.

Written by

Cree Dalene

in

As a veteran technical writer and cybersecurity expert, Cree Dalene specializes in breaking down complex IT concepts for emerging industry professionals. Armed with a robust portfolio of certifications—including SecurityX, CySA+, SSCP, and ITIL v4—Cree combines hands-on technical expertise with a deep commitment to instruction. Cree bridges the gap between technical mastery and career success through practical guides, certification insights, and interview strategies.

Discover more from Legacy Haven University

Subscribe to get the latest posts sent to your email.

Comments

Leave a Reply

More posts