Skip to content
Latchkey

How to Scan Container Image Layers for Secrets in CI

A secret COPYed then deleted still lives in an earlier layer; scanning the built image inspects every layer.

Run trivy image --scanners secret against the image you built. Trivy unpacks each layer and reports secrets, which a source scan of the Dockerfile alone would miss.

Steps

  • Build the image in CI and tag it.
  • Run trivy image --scanners secret <tag>.
  • Fail the build on findings with --exit-code 1.

Workflow

.github/workflows/ci.yml
jobs:
  image-secret-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: docker build -t app:ci .
      - name: Scan image layers
        run: |
          trivy image --scanners secret --exit-code 1 app:ci

Gotchas

  • Deleting a file in a later layer does not remove it from the earlier layer that copied it.
  • Use multi-stage builds so build-time secrets never reach the final image.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →