Skip to content
Latchkey

Adding Trivy Container Scanning to GitHub Actions

Scan your Docker image with Trivy in CI and block on critical vulnerabilities.

Trivy is a fast, all-in-one scanner for container images, filesystems, and IaC. The aquasecurity/trivy-action wraps the CLI for GitHub Actions. The common pattern is: build the image, scan it, fail on HIGH/CRITICAL, and upload SARIF.

What you need

  • A built image tag (or a Dockerfile path to scan).
  • The aquasecurity/trivy-action.
  • Security-events: write permission to upload SARIF.

The workflow

Scan the image and emit SARIF; the upload runs even on findings.

.github/workflows/ci.yml
- uses: aquasecurity/trivy-action@0.28.0
  with:
    image-ref: my-app:${{ github.sha }}
    format: sarif
    output: trivy.sarif
    severity: CRITICAL,HIGH
    exit-code: 1

- uses: github/codeql-action/upload-sarif@v3
  if: always()
  with:
    sarif_file: trivy.sarif

Common gotchas

  • exit-code: 1 plus an if: always() upload is needed so SARIF still uploads when the scan fails.
  • The vulnerability DB downloads each run unless you cache it - use cache: true on the action.
  • Scanning by image-ref requires the image to exist locally or in a reachable registry first.

Key takeaways

  • trivy-action scans images and emits SARIF for code scanning.
  • Use exit-code with if: always() so findings still upload.
  • Cache the vulnerability DB to avoid re-downloading each run.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →