How to Scan an Image for Vulnerabilities on Push in CI
Trivy scans the built image and can fail the job when high or critical vulnerabilities appear.
Build the image, then run aquasecurity/trivy-action against it with exit-code: 1 and severity: CRITICAL,HIGH to gate the pipeline.
Steps
- Build (or pull) the image to scan.
- Run
aquasecurity/trivy-actionwithimage-ref. - Set
exit-code: 1andseverityto fail on serious findings.
Workflow
.github/workflows/ci.yml
steps:
- uses: docker/build-push-action@v6
with:
context: .
load: true
tags: myapp:ci
- uses: aquasecurity/trivy-action@0.28.0
with:
image-ref: myapp:ci
exit-code: '1'
severity: 'CRITICAL,HIGH'
ignore-unfixed: trueGotchas
- Use
load: true(notpush) so the image is available locally for the scan. ignore-unfixed: trueavoids failing on CVEs with no available fix.
Related guides
How to Sign a Container Image With Cosign Keyless in CISign a container image in GitHub Actions with cosign keyless signing over OIDC, producing a verifiable signat…
How to Attach an SBOM and Provenance to an Image in CIGenerate and attach an SBOM and build provenance to a container image in GitHub Actions using the sbom and pr…