Evaluation of open source infrastructure, container image testing, configuration file adjustment — these are just a small part of the functionality provided by the Trivy Docker vulnerability scanner.
For reference: this utility is an effective tool based on Aqua Security (open source code), whose main practical purpose is to monitor risks and misconfigurations related to the operating system. A key feature of Trivy is its ability to analyze Kubernetes and scan code repositories in Git.
Installing the Trivy vulnerability scanner
The simplicity and convenience of the installation process make it easy to integrate the utility into DevSecOps (CI/CD pipeline). To do so, it’s enough to add a binary-based file to your project.
After installing the Trivy package, the user gains access to an extensive vulnerability and error database, allowing for rapid and effective scanning of critical OS areas. The utility supports most known programming languages, hidden packages, OS archives, and provides progressive updates — enabling security professionals to monitor vulnerabilities and critical errors efficiently and in a timely manner.
Important: to avoid infecting a portable or personal computer with malicious code (viruses), it is strongly recommended to install the scanner only from the official Ubuntu repository.
Once the package is installed and updated to the latest version, the user can begin vulnerability scanning.
Git repositories: scanning file features
The utility allows users to search for critical errors and vulnerabilities across different repositories.
For example, if Git is selected as the main storage, it's possible to scan a Git file directly (without downloading the entire package).
Docker containers: vulnerability monitoring
Docker is one of the most critically sensitive assets in terms of cybersecurity threats. Trivy has proven itself as one of the most effective tools for scanning Docker container vulnerabilities.
To monitor container images, the user must perform the following steps:
- Test the ID (unique identifier) of the Docker container to be scanned.
- Run the image scan directly.
For user reference: scan results can be saved in report files (text format). This is especially useful in the case of critical vulnerabilities and errors that may have serious consequences for the OS. To save the results in text format, use the following syntax:
sudo trivy image --severity HIGH > result.txt
Scanning open containers: key features
Trivy can also be used to perform internal scans of a loaded container. To do this, complete the following steps:
- Load the Docker file you want to test. This can be done using the command
sudo docker run -it alpine. - Start scanning by integrating the file into the utility.
Interesting fact: You can scan a container image as a standalone part of the overall monitoring process by integrating Trivy directly into the Dockerfile. This method is also effectively used for updating the Dockerfile when Aqua Micro is in use. To achieve this, include the scanner in the Dockerfile and initialize the image.
Where to securely run and host Docker containers
Scanning is only one stage of securing your infrastructure. Reliable and high-performance container hosting is critical for project stability. One of the best solutions is PSB.Hosting.
Advantages of PSB.Hosting:
- Reliable VPS with AMD Ryzen processors and fast NVMe storage
- Support for all major Linux distributions and Docker environments
- Instant deployment and 24/7 technical support
If you plan to use Trivy for continuous monitoring, PSB.Hosting is the ideal platform for deploying Docker containers in conjunction with Kubernetes and CI/CD pipelines.
Key takeaway
The Trivy-based vulnerability scanner is one of the most effective tools for identifying critical errors in Docker containers, including hidden OS-level packages.
Regular use of this utility enables timely analysis and evaluation of open source infrastructure, as well as configuration file testing and adjustment.