Skip to content
Latchkey

How to Scan a Container Image With Trivy on Push in GitHub Actions

Trivy scans a built image for known CVEs in OS packages and language dependencies, and exit-code 1 lets you block the build on serious findings.

Build the image locally in the job, then run aquasecurity/trivy-action against that tag with exit-code: 1 and a severity filter so the run fails on real risk.

Steps

  • Build the image to a local tag.
  • Run trivy-action against that tag.
  • Set severity: CRITICAL,HIGH and exit-code: 1 to gate.

Workflow

.github/workflows/ci.yml
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: docker build -t myapp:ci .
      - uses: aquasecurity/trivy-action@0.24.0
        with:
          image-ref: myapp:ci
          severity: CRITICAL,HIGH
          ignore-unfixed: true
          exit-code: '1'

Gotchas

  • Without ignore-unfixed, fixed-only severity gates still flag CVEs with no patch.
  • Cache the vulnerability DB to avoid re-downloading it on every run.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →