Security Scanning in GitHub CI/CD workflow using Trivy

What is Trivy?

Trivy is an open-source security vulnerability and misconfiguration scanning tool. It can scan Container images, Filesystems, Git repos and Kubernetes Cluster/Resources.

Trivy can be used in a CI/CD workflow to find out security issues in git PRs or to check main/master branch with scheduled workflow runs.

It supports table, json, sarif output formats. sarif output can be written to GitHub repo security(this needs GitHub advanced licence for private repositories)

In this quick start demo we are going to use a simple python application using Flask framework.

To demonstrate how Trivy detects vulnerabilities, we are intentionally using a Flask package which has High CVE vulnerabilities in our codebase and a python:3.5 base image which has lot of vulnerabilities.

you can clone the demo repo locally to take a closer look.

we are going to use following workflow definition(.github/workflows/trivy.yml) for Trivy security scanning as a GitHub action. This will scan git repo and container image. fs(git repo) scan results are added to GitHub Security and container image scan results are printer on screen in table format. this definition is scanning for CRITICAL and HIGH alerts.

name: trivy-scanning

    branches: [ "master" ]
    branches: [ "master" ]
    - cron: '41 16 * * 0'

permissions: write-all

    name: trivy-sec-scan
    runs-on: ubuntu-latest
      - name: Checkout
        uses: actions/checkout@v3

      - name: Run Trivy vulnerability scanner in repo mode
        uses: aquasecurity/trivy-action@master
          scan-type: 'fs'
          ignore-unfixed: true
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'HIGH,CRITICAL'

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v1
          sarif_file: 'trivy-results.sarif'

      - name: Build an image from Dockerfile
        run: |
          docker build -t${{ github.sha }} .
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
          image-ref: '${{ github.sha }}'
          format: 'table'
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'

When we commit the code, GitHub actions will trigger a workflow for Trivy security scanning. see below screen shot.

You can see Container image scanning results are printed on screen in table format. see below screen shot.

fs scan results are published to GitHub repo’s Security section. see below screen shot. It has created Open issues.

Under Security tab you can see there are two alerts.

Click on “Code scanning alerts” to see the last scan results and open issues.

you can click on each alert and see details of the alert.

Once we upgrade Python package version, docker base image version and commit new code, the alert will be closed in “Code scanning alerts” section automatically.

Instead of writing ‘sarif’ output to GitHub security, we can use ‘exit-code’ to fail the workflow, like below.

- name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
          image-ref: '${{ github.sha }}'
          format: 'table'
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'
          exit-code: 1


In this quick demo, we have covered what is Trivy and how to use it to scan git repo and Container Image. For further information you can read official documentation.

Find out about similar Security Scanning Tools:

Security Vulnerability Scanning on GitHub code repo using CodeQL

Vulnerability Scanning in GitHub CI/CD Workflow using Grype

Leave a ReplyCancel reply

Exit mobile version