Skip to content
Latchkey

How to Scan a Docker Image With Trivy and Fail on HIGH in CI

Trivy returns a nonzero exit code when it finds vulnerabilities at or above a chosen severity, which fails the CI job.

Run aquasecurity/trivy-action against the image with severity: HIGH,CRITICAL and exit-code: 1. Add ignore-unfixed: true so you only block on vulnerabilities that actually have a fix available.

Steps

  • Build or pull the image so it exists locally (or scan by reference).
  • Run trivy-action with severity and exit-code: 1.
  • Set ignore-unfixed: true to avoid failing on un-patchable findings.

Workflow

.github/workflows/docker.yml
- uses: docker/build-push-action@v6
  with:
    load: true
    tags: app:ci
- uses: aquasecurity/trivy-action@0.28.0
  with:
    image-ref: app:ci
    severity: HIGH,CRITICAL
    ignore-unfixed: true
    exit-code: '1'

Gotchas

  • load: true makes the built image available to the local daemon so Trivy can scan it.
  • Trivy caches its vulnerability database; the first run on a fresh runner downloads it and is slower.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →