How to Build Small, Secure Docker Images with Multi‑Stage Builds and Trivy

Abstract

Docker builds are easy but often produce large, vulnerable images. This article shows how to use multi‑stage builds, Alpine base images, and Trivy vulnerability scanning to create small, secure containers.

Why Docker images become bloated

Typical symptoms: initial image <200 MB, after months >1 GB and contains high‑severity CVEs.

Root causes:

Using “fat” base images such as ubuntu or debian that include package managers and GUI components.

Not cleaning caches, logs, or temporary files during the build.

Leaving unnecessary intermediate artifacts in the final image.

Skipping vulnerability scanning before release.

Multi‑stage build: the first step to slim images

Multi‑stage builds separate the build environment from the runtime environment.

Example (Java application)

# Stage 1: build with Maven
FROM maven:3.9.4-eclipse-temurin-17 AS builder
WORKDIR /app
COPY . .
RUN mvn clean package -DskipTests

# Stage 2: run with Alpine
FROM eclipse-temurin:17-alpine
WORKDIR /app
COPY --from=builder /app/target/app.jar .
CMD ["java","-jar","app.jar"]

Benefits:

Build and runtime environments are completely isolated.

Final image size can shrink by about 70 %.

Artifacts are clean, making security audits easier.

Image vulnerability scanning with Trivy

Trivy is a popular open‑source scanner that can be run locally or integrated into CI/CD pipelines.

Quick scan command

trivy image myapp:latest

Sample output:

Total: 15 (UNKNOWN: 0, LOW: 5, MEDIUM: 7, HIGH: 3, CRITICAL: 0)

Recommended actions:

Use officially maintained, frequently updated base images.

Remove unnecessary packages and clean caches.

Run Trivy automatically in CI/CD for each build.

Patch or replace components with high‑severity CVEs.

Automating build and scan in CI/CD

Minimal GitHub Actions workflow that builds the image and runs Trivy:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
      - name: Build Docker image
        run: docker build -t myapp:latest .
      - name: Scan image with Trivy
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'myapp:latest'

Effects:

Every commit triggers a fresh image build and security scan.

Vulnerabilities are detected before the first production deployment.

Development and operations teams gain faster feedback loops.

Key techniques summary

Multi‑stage build : reduces image size and separates build logic.

Alpine base image : minimizes attack surface and footprint.

Trivy scanning : automatically discovers CVEs and improves release safety.

CI/CD integration : enables DevSecOps and prevents security issues early.

Conclusion

Creating lightweight and secure Docker images requires disciplined build practices, a minimal base like Alpine, and continuous vulnerability scanning with tools such as Trivy integrated into your CI/CD pipeline.