Container Security with Trivy and Vulnerability Scans for Images, Registries and Clusters
A hands-on guide on how to automatically scan container images, registries, and Kubernetes clusters for vulnerabilities using Trivy and how to fix security issues early.
Introduction
Containers have revolutionized application delivery, but they also come with their own attack surfaces. Misconfigured images, outdated OS packages, or malicious dependencies can quietly sneak into your application environments.
The guiding principle here is Shift Left: identify vulnerabilities before images reach production.
With Trivy, an open-source scanner from Aqua Security, you can reliably scan your container images and OS packages. Trivy checks container images (locally or in registries), file systems & archives, Kubernetes manifests & clusters (via the Trivy Operator), and IaC templates like Terraform or Helm Charts (with extensions like tfsec).
This means one tool can cover the entire lifecycle from your laptop all the way to the production runtime environment.
What is Trivy?
Trivy combines three levels of scanning:
- OS packages (e.g.,
apt,apk,rpm) - Your application dependencies (Node, Python, Go, Java …)
- Configuration vulnerabilities (Dockerfile, K8s, Terraform)
Trivy updates its CVE database out-of-the-box every 12 hours, optionally using the Aqua Vulnerability DB mirrors or community feeds such as GitHub Security Advisory.
A key strength is its lightning-fast scans enabled by local caching, making it highly suitable for integration into CI/CD pipelines.
Practical Examples
Many teams prefer a lightweight Bash script that can be integrated into any CI environment like Jenkins, GitHub Actions, GitLab, or Azure DevOps. One popular use case is scanning already existing Docker images in your container registry.
You could, for instance, set up a nightly job that scans all your container images and then sends the results to systems like Grafana Pushgateway, Log Analytics Workspace, or Splunk for storage. These collected insights can be seamlessly integrated into Grafana Dashboards or Azure Workbooks, helping Dev teams and Product Owners stay informed about existing vulnerabilities.
Alternatively, you can scan already deployed applications in your production environment on a nightly basis to check if currently running images have vulnerabilities.
To implement this use case, you could authenticate via the Azure CLI and, for example, use az webapp commands to scrape the currently used image SHAs.
Based on the collected SHAs, you can create custom Bash scripts to extract individual findings from Trivy scans per image. These filtered and aggregated results can then be sent to your Log Analytics Workspace or Prometheus and finally visualized in dashboards.
The benefit is clear: you provide always up-to-date security insights automatically to all your project stakeholders.
Summary
A single tool like Trivy can save you a lot of time and cost, keeping you continuously informed about active vulnerabilities and giving your team clear guidance for a secure cloud strategy.
If you'd like to learn more about this topic and how to implement it, I recommend this link.