Lab: Trivy image scan
Use Trivy to scan a public image and a small image you build. Paths assume Linux amd64. For a permanent PATH, see Environment Setup. Step 1 sets the path for the current shell.
Lab objective
-
Install Trivy, scan
alpine:3.20, build a tiny image, scan that tag. -
Install Trivy
Pin TV to a current version from Trivy releases (example below):
mkdir -p ~/.local/bin
export PATH="$HOME/.local/bin:$PATH"
TV=0.69.3
curl -sSfL "https://github.com/aquasecurity/trivy/releases/download/v${TV}/trivy_${TV}_Linux-64bit.tar.gz" | tar -xz -C ~/.local/bin trivy
chmod +x ~/.local/bin/trivy
trivy --version
On arm64, download the matching Linux-ARM64 archive from the same releases page.
- Run Scan on Public image
trivy image alpine:3.20
- Local image
mkdir -p ~/peachycloudsecurity-trivy-lab && cd ~/peachycloudsecurity-trivy-lab
cat <<'EOF' > Dockerfile
FROM debian:bookworm-slim
RUN apt-get update \
&& apt-get install -y --no-install-recommends dnsutils \
&& rm -rf /var/lib/apt/lists/*
EOF
docker build -t peachycloudsecurity-scan-target .
trivy image peachycloudsecurity-scan-target
- Optional extras for storing output in json.
trivy image --scanners vuln,misconfig,secret peachycloudsecurity-scan-target
trivy image -f json -o trivy-report.json peachycloudsecurity-scan-target
For CI, use the Trivy Action after you build or pull the image.
Clean up
cd ~
docker rmi peachycloudsecurity-scan-target 2>/dev/null || true
rm -rf ~/peachycloudsecurity-trivy-lab
Summary
-
Trivy is a common first step for image CVEs. Pair with Lab: Dockerfile static analysis and Lab: SBOM with Syft and Grype as your program requires.
-
Next step: Supply Chain, then Lab: SBOM with Syft and Grype.