Adding Trivy Container Scanning to GitHub Actions
Scan your Docker image with Trivy in CI and block on critical vulnerabilities.
Trivy is a fast, all-in-one scanner for container images, filesystems, and IaC. The aquasecurity/trivy-action wraps the CLI for GitHub Actions. The common pattern is: build the image, scan it, fail on HIGH/CRITICAL, and upload SARIF.
What you need
- A built image tag (or a Dockerfile path to scan).
- The aquasecurity/trivy-action.
- Security-events: write permission to upload SARIF.
The workflow
Scan the image and emit SARIF; the upload runs even on findings.
.github/workflows/ci.yml
- uses: aquasecurity/trivy-action@0.28.0
with:
image-ref: my-app:${{ github.sha }}
format: sarif
output: trivy.sarif
severity: CRITICAL,HIGH
exit-code: 1
- uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: trivy.sarifCommon gotchas
- exit-code: 1 plus an if: always() upload is needed so SARIF still uploads when the scan fails.
- The vulnerability DB downloads each run unless you cache it - use cache: true on the action.
- Scanning by image-ref requires the image to exist locally or in a reachable registry first.
Key takeaways
- trivy-action scans images and emits SARIF for code scanning.
- Use exit-code with if: always() so findings still upload.
- Cache the vulnerability DB to avoid re-downloading each run.
Related guides
Adding Grype to GitHub ActionsScan images and directories for vulnerabilities with Anchore Grype in GitHub Actions, set a fail-on severity,…
Adding Checkov IaC Scanning to GitHub ActionsScan Terraform, CloudFormation, and Kubernetes manifests with Checkov in GitHub Actions, emit SARIF, and fail…
Adding OSV-Scanner to GitHub ActionsScan lockfiles against the OSV database with Google OSV-Scanner in GitHub Actions using the reusable workflow…