How to Run a Trivy Security Scan in GitHub Actions
Trivy scans images and filesystems for known CVEs and can fail the build on findings.
Run aquasecurity/trivy-action against an image or path, set exit-code: 1, and limit severities so only serious CVEs break the build.
Steps
- Build or pull the image you want to scan.
- Run the Trivy action with
severity: CRITICAL,HIGHandexit-code: 1. - Optionally upload results as SARIF to the Security tab.
Workflow
.github/workflows/scan.yml
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: aquasecurity/trivy-action@master
with:
scan-type: fs
scan-ref: .
severity: CRITICAL,HIGH
exit-code: '1'
ignore-unfixed: trueGotchas
- Set
ignore-unfixed: trueso you are not blocked on CVEs with no available patch. - Cache the Trivy DB to avoid re-downloading it on every run.
Related guides
How to Run CodeQL Analysis in GitHub ActionsSet up CodeQL static analysis in GitHub Actions with the github/codeql-action steps to find security bugs and…
How to Generate an SBOM in GitHub ActionsGenerate a software bill of materials in GitHub Actions with Anchore Syft, producing an SPDX or CycloneDX SBO…