Skip to content
Latchkey

trivy image: Scan Container Images for CVEs

trivy image pulls and scans a container image, reporting OS-package and application-dependency vulnerabilities.

trivy image is the workhorse command. Point it at a tag or digest and it inspects the layers, matches packages against its vulnerability database, and prints findings grouped by severity.

What it does

trivy image analyzes a container image: it enumerates OS packages (apk, dpkg, rpm) and language dependencies, matches them against the Trivy vulnerability database, and reports each CVE with its severity and fixed version. It can scan a local image, a registry reference, or a tarball.

Common usage

Terminal
trivy image alpine:3.19
trivy image --severity HIGH,CRITICAL myorg/app:${GITHUB_SHA}
# scan a tarball produced by docker save
docker save myorg/app:ci -o app.tar
trivy image --input app.tar

Options

FlagWhat it does
--severity <list>Comma list to report: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
--scanners <list>What to run: vuln, secret, misconfig, license
--format <fmt>Output format: table, json, sarif, cyclonedx, spdx
--input <file>Scan an image tarball instead of pulling
--ignore-unfixedHide vulnerabilities with no fix available
--exit-code <n>Exit with this code when findings match

In CI

Add --exit-code 1 --severity HIGH,CRITICAL so the job fails only on actionable findings. Cache the vulnerability database between runs (see trivy-db-cache-ci) so each job does not re-download roughly 50MB from the registry.

Common errors in CI

"FATAL failed to download vulnerability DB ... TOOMANYREQUESTS: retry-after" means the GHCR-hosted DB was rate-limited; cache it or authenticate. "unable to find the specified image" means the tag is not present locally and cannot be pulled; build or pull it first, or pass --input. "unsupported file type" usually means --input was handed a non-tarball.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →