How to Secure Docker Images with Trivy: Step-by-Step Guide
This guide explains how to set up Docker on Ubuntu 18.04, install and configure the Trivy vulnerability scanner, and use it to analyze container images such as Redis, BusyBox, and Nginx, covering database updates, output formats, and practical command examples.
System Environment
The tutorial assumes Docker version 20.10.14 running on Ubuntu 18.04.5 LTS with x86_64 CPU.
Introduction
With the rise of container technology, image security has become critical. Vulnerabilities in container images can be exploited, so scanning is essential. Trivy, developed by Aqua Security, supports Docker, Kubernetes and other platforms, offering ease of use and multiple vulnerability databases.
Trivy Overview
Trivy is a comprehensive security scanner that can scan container images, file systems, remote Git repositories, virtual machine images, Kubernetes clusters, and AWS systems. It detects software bill of materials (SBOM), known CVEs, IaC issues, misconfigurations, sensitive information, and software licenses.
Scanning Principle
Trivy analyzes the file system of a container image, extracts package names and versions, and matches them against a local vulnerability database. It parses Dockerfiles, matches packages to CVE entries, and presents detailed vulnerability information including description, affected versions, and remediation suggestions.
Using Trivy to Scan Images
First install Docker, then install Trivy via the provided RPM package.
# yum -y install docker-ce
# docker -v
# cat /etc/docker/daemon.json
{
"registry-mirrors": [
"https://frz7i079.mirror.aliyuncs.com"
]
}
# docker pull redis
# docker pull busybox
# docker pull nginx
# yum -y install trivy_0.28.1_Linux-64bit.rpm
# which trivy
/usr/local/bin/trivyRun trivy image nginx to scan the Nginx image. The first run downloads the vulnerability database. Example output shows counts of vulnerabilities by severity and a table of affected libraries.
UNKNOWN: 1, LOW: 93, MEDIUM: 43, HIGH: 41, CRITICAL: 24
nginx (debian 11.2)
Total: 202 (UNKNOWN: 1, LOW: 93, MEDIUM: 43, HIGH: 41, CRITICAL: 24)
...Similarly, scanning Redis yields:
Total: 108 (UNKNOWN: 0, LOW: 63, MEDIUM: 18, HIGH: 16, CRITICAL: 11)
...Trivy can output results in table, JSON, or other formats, e.g., trivy image -f json -o results.json nginx:1.16. The database is cached under ~/.cache/trivy and can be pre‑downloaded with trivy image --download-db-only or skipped with --skip-db-update.
Conclusion
Trivy is a powerful, easy‑to‑use tool for scanning container images for vulnerabilities, helping to ensure application security in Docker environments.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.