BestHub
Sign in
Information Security 9 min read

How to Secure Docker Images with Trivy: Step‑by‑Step Vulnerability Scanning

This guide walks through installing Docker and Trivy on Ubuntu, explains Trivy's scanning capabilities and underlying principles, and demonstrates practical commands to detect and report vulnerabilities in container images such as Redis, BusyBox, and Nginx.

Raymond Ops
Raymond Ops
Raymond Ops
How to Secure Docker Images with Trivy: Step‑by‑Step Vulnerability Scanning

1. System Environment

This article is based on Docker version 20.10.14 running on Ubuntu 18.04 LTS (x86_64).

2. Introduction

With the widespread adoption of containers, image security has become critical. Vulnerabilities in images can be exploited, so scanning is required. Trivy, developed by Aqua Security, supports Docker, Kubernetes and other platforms, is easy to use and integrates multiple vulnerability databases.

3. About Trivy

Trivy is a comprehensive security scanner. Its homepage is https://github.com/aquasecurity/trivy and releases are at https://github.com/aquasecurity/trivy/releases.

Trivy can scan:

Container images

File systems

Git repositories

Virtual machine images

Kubernetes clusters

AWS services

It can detect:

Software Bill of Materials (SBOM)

Known CVEs

IaC issues and misconfigurations

Sensitive information

Software licenses

4. How Trivy Works

Trivy analyses the file system of an image, extracts package names and versions, then matches them against a vulnerability database.

Dockerfile parsing – extracts packages and versions from the build process.

Database matching – compares packages with known vulnerabilities.

Detail display – shows description, affected versions and remediation advice.

CVE (Common Vulnerabilities and Exposures) entries are maintained by MITRE; the database currently contains over 190,000 entries.

In short, Trivy downloads the CVE database locally, then compares the image contents with the database to determine vulnerabilities.

5. Using Trivy to Scan Images

Install Docker first: # yum -y install docker-ce Configure a registry mirror (example):

{
  "registry-mirrors": ["https://frz7i079.mirror.aliyuncs.com"]
}

Pull example images:

# docker pull redis
# docker pull busybox
# docker pull nginx

Install Trivy: # yum -y install trivy_0.28.1_Linux-64bit.rpm Verify installation:

# which trivy
/usr/local/bin/trivy

Run a scan (first run downloads the DB): # trivy image nginx The output shows the number of vulnerabilities by severity, e.g., UNKNOWN:1, LOW:93, MEDIUM:43, HIGH:41, CRITICAL:24, and a table of affected libraries.

Trivy caches the database in ~/.cache/trivy; you can copy this directory to another machine to avoid re‑downloading.

Use --skip-db-update to skip the automatic DB download, or --download-db-only to update it manually.

6. Summary

Trivy is a powerful, easy‑to‑use container image vulnerability scanner. The hands‑on Docker examples demonstrate that it can effectively identify security issues in images, helping to protect applications.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

Container Securityvulnerability scanningTrivy
Raymond Ops
Written by

Raymond Ops

Linux ops automation, cloud-native, Kubernetes, SRE, DevOps, Python, Golang and related tech discussions.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment