CI/CD with Docker and Container RegistriesLesson 6.5

How to scan Docker images for vulnerabilities in CI

Trivy, docker scout, CVE scanning, SARIF format, GitHub Security tab, fail-on-severity, CI security gate, base image updates

Making Vulnerability Scanning a CI Gate

A container image is only as secure as its base image and dependencies. Scanning in CI catches CVEs before they reach production.

Scan with Trivy in GitHub Actions

      - name: Build image (no push)
        uses: docker/build-push-action@v5
        with:
          context: .
          load: true
          tags: my-app:scan

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: my-app:scan
          format: sarif
          output: trivy-results.sarif
          severity: CRITICAL,HIGH
          exit-code: 1        # Fail CI on CRITICAL or HIGH CVEs

      - name: Upload Trivy results to GitHub Security
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: trivy-results.sarif

Setting exit-code: 1 fails the pipeline when vulnerabilities of the specified severity are found — a hard security gate. Results uploaded as SARIF appear in the repository's Security tab for review. The fix is almost always to update the base image or a vulnerable dependency. Rebuild weekly even without code changes to pick up patched base images.

Ready to practice?

MCQs · Coding challenges · Mini project