How to Scan a Docker Image With Trivy and Fail on HIGH in CI
Trivy returns a nonzero exit code when it finds vulnerabilities at or above a chosen severity, which fails the CI job.
Run aquasecurity/trivy-action against the image with severity: HIGH,CRITICAL and exit-code: 1. Add ignore-unfixed: true so you only block on vulnerabilities that actually have a fix available.
Steps
- Build or pull the image so it exists locally (or scan by reference).
- Run
trivy-actionwithseverityandexit-code: 1. - Set
ignore-unfixed: trueto avoid failing on un-patchable findings.
Workflow
.github/workflows/docker.yml
- uses: docker/build-push-action@v6
with:
load: true
tags: app:ci
- uses: aquasecurity/trivy-action@0.28.0
with:
image-ref: app:ci
severity: HIGH,CRITICAL
ignore-unfixed: true
exit-code: '1'Gotchas
load: truemakes the built image available to the local daemon so Trivy can scan it.- Trivy caches its vulnerability database; the first run on a fresh runner downloads it and is slower.
Related guides
How to Sign a Docker Image With Cosign Keyless in CISign a pushed Docker image with Sigstore cosign keyless signing in CI, using the GitHub OIDC token so no priv…
How to Generate an SBOM for a Docker Image With Syft in CIProduce a Software Bill of Materials for a Docker image in CI with Anchore Syft, emitting SPDX or CycloneDX J…