Skip to content
Latchkey

How to Scan an Image for Vulnerabilities on Push in CI

Trivy scans the built image and can fail the job when high or critical vulnerabilities appear.

Build the image, then run aquasecurity/trivy-action against it with exit-code: 1 and severity: CRITICAL,HIGH to gate the pipeline.

Steps

  • Build (or pull) the image to scan.
  • Run aquasecurity/trivy-action with image-ref.
  • Set exit-code: 1 and severity to fail on serious findings.

Workflow

.github/workflows/ci.yml
steps:
  - uses: docker/build-push-action@v6
    with:
      context: .
      load: true
      tags: myapp:ci
  - uses: aquasecurity/trivy-action@0.28.0
    with:
      image-ref: myapp:ci
      exit-code: '1'
      severity: 'CRITICAL,HIGH'
      ignore-unfixed: true

Gotchas

  • Use load: true (not push) so the image is available locally for the scan.
  • ignore-unfixed: true avoids failing on CVEs with no available fix.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →