trivy image: Scan Container Images for CVEs
trivy image pulls and scans a container image, reporting OS-package and application-dependency vulnerabilities.
trivy image is the workhorse command. Point it at a tag or digest and it inspects the layers, matches packages against its vulnerability database, and prints findings grouped by severity.
What it does
trivy image analyzes a container image: it enumerates OS packages (apk, dpkg, rpm) and language dependencies, matches them against the Trivy vulnerability database, and reports each CVE with its severity and fixed version. It can scan a local image, a registry reference, or a tarball.
Common usage
trivy image alpine:3.19
trivy image --severity HIGH,CRITICAL myorg/app:${GITHUB_SHA}
# scan a tarball produced by docker save
docker save myorg/app:ci -o app.tar
trivy image --input app.tarOptions
| Flag | What it does |
|---|---|
| --severity <list> | Comma list to report: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL |
| --scanners <list> | What to run: vuln, secret, misconfig, license |
| --format <fmt> | Output format: table, json, sarif, cyclonedx, spdx |
| --input <file> | Scan an image tarball instead of pulling |
| --ignore-unfixed | Hide vulnerabilities with no fix available |
| --exit-code <n> | Exit with this code when findings match |
In CI
Add --exit-code 1 --severity HIGH,CRITICAL so the job fails only on actionable findings. Cache the vulnerability database between runs (see trivy-db-cache-ci) so each job does not re-download roughly 50MB from the registry.
Common errors in CI
"FATAL failed to download vulnerability DB ... TOOMANYREQUESTS: retry-after" means the GHCR-hosted DB was rate-limited; cache it or authenticate. "unable to find the specified image" means the tag is not present locally and cannot be pulled; build or pull it first, or pass --input. "unsupported file type" usually means --input was handed a non-tarball.