Container Security Scanning

Why Container Scanning Matters

Container images can include vulnerable packages inherited from base images or installed dependencies. Without scanning:

• Known CVEs in OS packages go undetected
• Vulnerable Python libraries ship to production
• Compliance requirements (SOC2, PCI-DSS) are not met
• Supply chain attacks through transitive dependencies are missed

Scanning in CI

The CI pipeline runs Trivy after every image build:

# From .github/workflows/ci.yml
- name: Run Trivy vulnerability scan
  uses: aquasecurity/trivy-action@0.28.0
  with:
    image-ref: "ghcr.io/owner/grokdevops:tag"
    format: table
    exit-code: "1"
    severity: CRITICAL,HIGH

The pipeline fails (exit-code: 1) if any CRITICAL or HIGH vulnerabilities are found.

Running Locally

Install Trivy

# macOS
brew install trivy

# Linux
sudo apt-get install -y trivy
# or download from https://github.com/aquasecurity/trivy/releases

Scan a local image

Trivy needs access to the Docker daemon socket to inspect images directly. If you get a "permission denied" error on the socket, use the tarball method instead (see below).

# Build the image first
docker build -t grokdevops:test .

# Method 1: Direct image scan (requires Docker socket access)
trivy image --severity CRITICAL,HIGH grokdevops:test

# Method 2: Scan via saved tarball (works without socket access)
# Use $HOME (not /tmp) — snap-installed Trivy cannot see /tmp on the host.
docker save grokdevops:test -o "$HOME/grokdevops-test.tar"
trivy image --input "$HOME/grokdevops-test.tar" --severity CRITICAL,HIGH
rm -f "$HOME/grokdevops-test.tar"

# Scan with exit code (for scripts/CI)
trivy image --exit-code 1 --severity CRITICAL,HIGH grokdevops:test

# Full scan including LOW and MEDIUM
trivy image grokdevops:test

Example Output

grokdevops:test (debian 12.4)

Total: 0 (HIGH: 0, CRITICAL: 0)

Python (pip)

Total: 0 (HIGH: 0, CRITICAL: 0)

A clean scan shows zero CRITICAL/HIGH findings. When vulnerabilities are found, Trivy lists the package, installed version, fixed version, and CVE ID.

Scan the filesystem (without building)

trivy fs --severity CRITICAL,HIGH .

This checks requirements.txt for known-vulnerable Python packages without building a Docker image.

SBOM Generation

The CI pipeline also generates a Software Bill of Materials (SBOM) in SPDX format. This provides a complete inventory of all packages in the image for compliance and audit purposes.

The SBOM is uploaded as a build artifact and can be downloaded from the GitHub Actions run.

Pages that link here

• DevOps Tooling Domain
• Level 2: Container Platform
• Solution: Lab Runtime 06 -- Trivy Fail to Green
• Track: Containers