Trivy for Engineers: Finding Vulnerabilities in Go, Docker, and Kubernetes


Trivy for Engineers: Finding Vulnerabilities in Go, Docker, and Kubernetes

aquasecurity/trivy

2025-09-05

Trivy helps you ensure the security of your software supply chain from a developer's perspective. It can be integrated into your CI/CD pipeline to automatically scan your code and container images for security issues before they are deployed. This "shift-left" approach allows you to catch and fix problems early, which is more efficient and cost-effective than finding them in production.

Trivy's key features and how they are useful

Vulnerability Scanning
Trivy can scan container images and file systems for known vulnerabilities. It checks against multiple vulnerability databases, providing you with a list of CVEs (Common Vulnerabilities and Exposures) and their severity.

Misconfiguration Detection
It can scan IaC (Infrastructure as Code) files like Terraform, Kubernetes manifests, and Dockerfiles to detect misconfigurations that could lead to security risks. For example, it can flag a Kubernetes service that's configured to be publicly accessible when it shouldn't be.

Secret Detection
Trivy can find hardcoded secrets, such as API keys and passwords, in your code and container images. This is crucial because accidentally committing secrets to a repository is a common security blunder.

SBOM (Software Bill of Materials) Generation
An SBOM is a list of all components in your software. Trivy can generate an SBOM for your container images, which is useful for compliance and understanding your application's dependencies.

The easiest way to install Trivy is using your system's package manager.

macOS
brew install trivy

Linux
Check the official Trivy documentation for the appropriate package manager command for your distribution.

Docker
You can also use Trivy as a Docker image without installing it on your machine
docker run aquasec/trivy [command]

If you're a Go developer, you can use Trivy to scan your project's dependencies for vulnerabilities.

Example

Navigate to your Go project's root directory.

Run the following command

trivy fs .

This command scans the file system, including your go.mod and go.sum files, and provides a report of any vulnerabilities found in your dependencies.

This is one of the most common use cases for Trivy. You can scan a Docker image directly.

Example

Pull a vulnerable image from Docker Hub, for example, a version of nginx with known issues.

docker pull nginx:1.14.2

Scan the image with Trivy

trivy image nginx:1.14.2

The output will show a list of vulnerabilities with their severity, package, and a link to the CVE details.

Trivy can scan your Kubernetes cluster to check for misconfigurations and vulnerabilities in deployed images.

Example

Scan the workloads running in your cluster.

trivy k8s cluster

This command will scan all pods, deployments, and other resources in your cluster and report on any security issues.

Scan a specific namespace

trivy k8s --namespace default

This narrows the scan down to a single namespace.

Integrating Trivy into your CI/CD pipeline is where its real power shines. You can add a step to your build process that automatically runs a Trivy scan. If the scan finds critical vulnerabilities, you can configure the pipeline to fail the build, preventing insecure code from being deployed.

Example (GitHub Actions)
You can add a step to your GitHub Actions workflow YAML file like this

name: CI

on:
  push:
    branches:
      - main

jobs:
  build-and-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2

      - name: Build Docker Image
        run: docker build -t my-app .

      - name: Run Trivy Scan
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'my-app'
          format: 'table'
          output: 'trivy-results.txt'
          exit-code: '1' # Fails the workflow if vulnerabilities are found
          severity: 'CRITICAL,HIGH' # Only checks for critical and high severity issues

aquasecurity/trivy




Meshery: A Software Engineer's Guide to Cloud Native Management

Meshery is an open-source project that focuses on managing and operating cloud native infrastructure, specifically service meshes and their integrations


Traefik Explained: Dynamic Routing and Let's Encrypt for Software Engineers

Traefik simplifies routing and managing traffic to your microservices in dynamic environments like Docker and Kubernetes


From Cloud to Edge: How WasmEdge Empowers Next-Gen Application Development

Imagine a scenario where your code runs almost anywhere, incredibly fast, and with a tiny memory footprint. That's essentially what WasmEdge offers


Moby Project: Your Gateway to Custom Containerization

Here's how Moby can be incredibly useful from a software engineer's perspective, along with how to get started and some conceptual code examples


Quick Start Infrastructure: Using ChristianLempa's Templates for Docker, K8s, and Ansible

Here's a friendly explanation of how this collection can help you, along with guidance on adoption and sample code examples


MinIO in Go and Kubernetes: Building Cloud-Agnostic Applications

MinIO is essentially an open-source, high-performance object storage server that is API-compatible with Amazon S3. This S3 compatibility is one of its biggest selling points


From Code to Cloud: A Deep Dive into Panaversity's Agentic AI for Software Engineers

The panaversity/learn-agentic-ai repository is a fantastic resource, often part of a broader certification program, designed to teach you how to build advanced AI systems using the concept of "Agentic AI" in a cloud-native


The API-First Note-Taking Solution: Why Engineers are Switching to Memos

Memos is essentially a "lightweight self-hosted micro-blogging" platform. Think of it as a private, open-source version of Twitter (X) or Google Keep


containerd: The Engine Driving Modern Container Runtimes

containerd is a core container runtime that manages the complete container lifecycle of its host system. It's an open-source project donated to the Cloud Native Computing Foundation (CNCF) and provides a robust


Simplifying LLM Tooling with IBM's mcp-context-forge

Think of mcp-context-forge as a central hub for your Large Language Model (LLM) applications. In a typical setup, your LLM might need to access various tools