Skip to content
Latchkey

How to Run a Trivy Security Scan in GitHub Actions

Trivy scans images and filesystems for known CVEs and can fail the build on findings.

Run aquasecurity/trivy-action against an image or path, set exit-code: 1, and limit severities so only serious CVEs break the build.

Steps

  • Build or pull the image you want to scan.
  • Run the Trivy action with severity: CRITICAL,HIGH and exit-code: 1.
  • Optionally upload results as SARIF to the Security tab.

Workflow

.github/workflows/scan.yml
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: aquasecurity/trivy-action@master
        with:
          scan-type: fs
          scan-ref: .
          severity: CRITICAL,HIGH
          exit-code: '1'
          ignore-unfixed: true

Gotchas

  • Set ignore-unfixed: true so you are not blocked on CVEs with no available patch.
  • Cache the Trivy DB to avoid re-downloading it on every run.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →