CyberCheatsheets

Trivy Cheat Sheet

Scanner for container images, filesystems, and IaC (Terraform, K8s) for CVEs and misconfigurations.

Cloud & ContainerscontaineriacvulnerabilityUpdated 2026-06-02

Overview

Trivy finds vulnerabilities in OS packages and language dependencies in Docker images, repos, and Kubernetes manifests. Use in CI/CD and during container breakout / supply-chain reviews.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

Install

sudo apt install -y wget apt-transport-https
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo gpg --dearmor -o /usr/share/keyrings/trivy.gpg
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee /etc/apt/sources.list.d/trivy.list
sudo apt update && sudo apt install -y trivy
trivy --version

Essential commands

Scan image

trivy image nginx:latest

Only HIGH/CRITICAL

trivy image --severity HIGH,CRITICAL myapp:1.0

Filesystem (running container rootfs export)

trivy fs /path/to/project

Common workflows

Docker image before deploy —

docker build -t myapp:test .
trivy image --ignore-unfixed myapp:test
trivy image -f json -o report.json myapp:test

Kubernetes manifests —

trivy config deployment.yaml
trivy k8s --report summary cluster

Repo / lockfiles —

trivy fs --scanners vuln,secret,misconfig .
trivy repo https://github.com/org/app

SBOM —

trivy image --format cyclonedx -o sbom.json myapp:latest

CI exit code on findings —

trivy image --exit-code 1 --severity CRITICAL myapp:prod

Flags reference

--severity

Filter CRITICAL,HIGH,...

--ignore-unfixed

Skip CVEs without patch

-f table\

json\

--scanners vuln,secret

Scanner types

--skip-dirs node_modules

Exclude paths

trivy sbom

Scan existing SBOM

--db-repository

Offline air-gapped DB

Tips

  • First run downloads vulnerability DB — allow network or pre-cache in CI.
  • secret scanner catches hardcoded keys in layers and git history paths.
  • Combine with docker history to find secrets in old layers.
  • For runtime: export filesystem docker export then trivy fs.

References

Related cheat sheets