How to Scan a Container Image With Trivy on Push in GitHub Actions
Trivy scans a built image for known CVEs in OS packages and language dependencies, and exit-code 1 lets you block the build on serious findings.
Build the image locally in the job, then run aquasecurity/trivy-action against that tag with exit-code: 1 and a severity filter so the run fails on real risk.
Steps
- Build the image to a local tag.
- Run
trivy-actionagainst that tag. - Set
severity: CRITICAL,HIGHandexit-code: 1to gate.
Workflow
.github/workflows/ci.yml
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: docker build -t myapp:ci .
- uses: aquasecurity/trivy-action@0.24.0
with:
image-ref: myapp:ci
severity: CRITICAL,HIGH
ignore-unfixed: true
exit-code: '1'Gotchas
- Without
ignore-unfixed, fixed-only severity gates still flag CVEs with no patch. - Cache the vulnerability DB to avoid re-downloading it on every run.
Related guides
How to Generate and Attest an SBOM in GitHub ActionsProduce an SPDX SBOM with anchore/sbom-action in GitHub Actions and bind it to your build with actions/attest…
How to Sign Build Artifacts With Cosign Keyless in GitHub ActionsSign a release artifact in GitHub Actions with cosign keyless signing, using the workflow OIDC token and Sigs…