Trivy - The Security Scanner That Doesn't Suck (Much)

Been using security scanners since 2018 and most are garbage. They miss CVE-2021-44228 (Log4Shell) then alert about CVE-2007-4559 in Python tarfile that's been "critical" for 15 years. Trivy is different - finds real shit.

What Makes Trivy Not Terrible

Trivy scans your containers, code repos, and Kubernetes clusters for security issues. The big difference is it finds real problems you should actually fix instead of theoretical bullshit that doesn't matter.

Installation doesn't make you want to quit your job: Run brew install trivy or docker run aquasec/trivy and you're done. No database setup, no license keys, no "please contact sales" nonsense.

Covers the stuff you actually use: Alpine, Ubuntu, RHEL, whatever Linux distro is in your containers. Java, Python, Node.js, Go - the languages your team actually uses. Package managers too - npm, Maven, pip, Cargo, the whole zoo.

Actually fast: Alpine containers scan in 30 seconds. Spring Boot with 47 JAR files? 8 minutes. Python ML images with TensorFlow 2.13.0 and 50GB of dependencies? Go grab coffee and a sandwich.

Real World Performance

Here's what happens when you run trivy image nginx:1.25.2:

Alpine base: 30 seconds. Node.js 18 apps: 2-3 minutes. Java Spring Boot 3.1.0 with every dependency known to mankind? 8-15 minutes. Python ML with PyTorch 2.0.1 and Jupyter? Order takeout.

Memory usage: 2GB for normal containers. Java apps need 6-8GB because Spring loads the entire internet. Learned this when Trivy OOMkilled our 4GB Jenkins node scanning one massive Java monolith.

Caching saves your sanity: First scan downloads vulnerability DB (47MB as of October 2024). After that, scans are instant. Without caching, every CI job downloads from scratch and times out. Learned this debugging why our builds randomly failed with timeout after 300s.

GitLab Actually Said It's Good

GitLab's security team evaluated multiple scanners and called Trivy "a clear leader in the market" which is corporate speak for "this tool doesn't suck." Coming from GitLab, who have tried every security scanner on earth, that actually means something.

Integration That Doesn't Break Your Workflow

CI/CD: Works with GitHub Actions, GitLab CI, Jenkins, Azure DevOps. The GitHub Action is solid - add it to your workflow and it just works. SARIF output integrates nicely with GitHub's security tab.

Kubernetes: The Trivy Operator scans your cluster continuously. It creates Kubernetes resources for vulnerability reports so you can query them with kubectl. Pretty slick if you're into that.

Developer Tools: VS Code extension shows vulnerabilities while you code. Useful for catching issues before they hit your main branch, though it can be noisy if your project has tons of dependencies.

What Actually Breaks

Let's be real - nothing is perfect:

• Large Python images with scikit-learn 1.3.0 and 12GB of ML libraries take 25+ minutes. Use --skip-files \"**/site-packages/**\" if you're debugging at 3am.
• CLI output looks like someone vomited JSON. Use --format table or --format json and parse it yourself.
• Hangs on broken images like mcr.microsoft.com/windows/servercore:ltsc2019 (yes, specific version). Kill with CTRL+C and try again.
• Air-gapped setups need manual DB downloads. Error: failed to download vulnerability DB means you're fucked without internet.

But compared to other security tools that either don't work or require a PhD to configure, Trivy is refreshingly simple. Install it, point it at your container, get results you can actually use.

Most enterprise security tools cost $50k/year and still miss half the vulnerabilities. Trivy is free and finds more issues than most commercial scanners. That's why teams actually use it instead of letting it collect dust like most security purchases.

Install It and Move On

Most security tools make you install Java, configure databases, and sacrifice a goat. Trivy just works:

Mac: brew install trivy - done (takes 30 seconds)
Linux: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh - installs to /usr/local/bin/
Windows: Download from GitHub releases. Chocolatey version is usually 2 versions behind.
CI/CD: Use aquasec/trivy:0.44.1 - never use :latest in prod, learned this when v0.40.0 broke our builds

That's it. No database setup, no license keys, no "please contact sales."

Actually Using It

Scan a container image (what 90% of people do):

trivy image nginx:latest

Filter out the noise (what you should actually do):

trivy image --severity HIGH,CRITICAL ubuntu:20.04

Scan your project directory for secrets and other shit:

trivy fs --scanners vuln,secret,misconfig .

Scan a GitHub repo without cloning it locally:

trivy repo https://github.com/aquasecurity/trivy

The output will be ugly but functional. Use --format json if you're automating stuff.

Don't Let It Kill Your CI

Set up caching or your builds will timeout downloading databases:

export TRIVY_CACHE_DIR=/var/cache/trivy

Spent 3 hours debugging when Trivy failed with permission denied: /var/cache/trivy/db - Jenkins user couldn't write to cache dir. Fixed with chown jenkins:jenkins /var/cache/trivy.

Only fail on stuff that matters:

trivy image --exit-code 1 --severity HIGH,CRITICAL myapp:latest

Ignore the false positives that are wasting your time:

## .trivyignore - comment everything so you remember why
CVE-2023-1234  # Dev dependency, doesn't affect prod
CVE-2023-5678  # Windows CVE, we use Linux

Pro tip: If you're getting 500 vulnerabilities, 400 are probably MEDIUM severity noise that you'll never fix. Start with HIGH and CRITICAL only.

CI/CD Integration That Actually Works

GitHub Actions - copy this, it works:

- uses: aquasecurity/trivy-action@master
  with:
    image-ref: 'myapp:${{ github.sha }}'
    format: 'sarif'
    output: 'trivy-results.sarif'
    severity: 'HIGH,CRITICAL'

The SARIF output integrates nicely with GitHub's security tab. Don't forget to upload it:

- uses: github/codeql-action/upload-sarif@v2
  with:
    sarif_file: 'trivy-results.sarif'

This worked in our setup. Your mileage may vary because GitHub Actions can be weird about file paths.

Docker in CI - when you just want it to work:

docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
  aquasec/trivy:latest image --exit-code 1 --severity HIGH,CRITICAL myapp:latest

Pin whatever version works so updates don't break your builds unexpectedly.

Advanced Stuff You Probably Don't Need

Trivy Operator - runs Trivy continuously in your Kubernetes cluster:

kubectl apply -f https://raw.githubusercontent.com/aquasecurity/trivy-operator/main/deploy/static/trivy-operator.yaml

It's cool if you want continuous scanning, but adds complexity. Most teams are fine with CI scanning.

SBOM generation - for compliance people who love acronyms:

trivy image --format spdx-json myapp:latest > sbom.json

Secret scanning - catches AWS keys and other credentials:

trivy fs --scanners secret .

Caught AKIA... AWS keys in our GitHub Actions logs that would have fucked us. Found them after they were already in 47 commits. Rotation took 6 hours, but better than a $10,000 AWS bill.

What Actually Breaks

Real talk about what goes wrong:

• Large Python ML images: Take forever to scan. Exclude site-packages if you don't care about Python vulnerabilities.
• CI timeouts: Cache the vulnerability database or every build downloads like 30MB. Usually works.
• Memory issues: Java Spring Boot 3.x apps need 8GB+ to scan. Ran 4 parallel scans on 16GB Jenkins node, got OutOfMemoryError: Java heap space. Now we run 1 at a time.
• False positives: Use .trivyignore liberally or you'll drown in noise.
• Windows containers: Limited OS coverage compared to Linux. Not sure why.

But compared to enterprise security tools that either don't work or require a team of consultants to configure, Trivy is refreshingly simple. Install it, point it at your stuff, get usable results.