Securing Your Apps with Trivy in CI/CD Pipelines
When you’re building apps in the cloud, it’s not just about speed — it’s also about security. Vulnerabilities in your container images, dependencies, or even accidentally committed secrets can open the door to attacks.
This is where Trivy (by Aqua Security) comes in. It’s an easy-to-use open-source vulnerability scanner that checks:
Filesystem (FS) → your code & dependencies
Docker/OCI images → your built container images
Secrets → like API keys or passwords in your repo
In this post, we’ll:
Install Trivy on an AWS EC2 instance
Run filesystem and image scans
Integrate Trivy into a CI/CD pipeline (Jenkins, GitHub Actions, Azure DevOps) with JSON reports
🚀 Step 1: Launch an EC2 Instance
Go to the AWS Console → EC2 → Launch Instance
Choose Ubuntu 22.04 LTS (or Amazon Linux 2)
Pick instance type: t2.micro (free tier friendly)
Allow SSH (port 22) in security group
Connect via SSH:
ssh -i your-key.pem ubuntu@<EC2-Public-IP>
📦 Step 2: Install Trivy on EC2
For Ubuntu: Official side
# Update system packages
sudo apt-get update -y
# Install dependencies
sudo apt-get install wget apt-transport-https gnupg lsb-release -y
# Add Trivy repo
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee /etc/apt/sources.list.d/trivy.list
# Install Trivy
sudo apt-get update -y
sudo apt-get install trivy -y
Verify installation:
trivy --version
🔍 Step 3: Run Your First Trivy Scans
1. Filesystem Scan
Scans your source code for vulnerabilities in dependencies and leaked secrets:
trivy fs --format json --output trivy-fs-report.json .
👉 Output is saved in trivy-fs-report.json.
2. Docker Image Scan
Install Docker (if not already installed):
sudo apt-get install docker.io -y
sudo systemctl enable docker
sudo systemctl start docker
Build and scan an image:
docker build -t myapp:latest .
trivy image --format json --output trivy-image-report.json myapp:latest
👉 Output is saved in trivy-image-report.json.
⚡ Step 4: Automating Trivy in CI/CD
Manual scans are fine for testing, but the real power comes when you add Trivy into your CI/CD pipeline so every commit or build is scanned automatically.
Here are ready-to-use snippets:
🔹 Jenkinsfile Example
pipeline {
agent any
stages {
stage('Checkout') {
steps {
checkout scm
}
}
stage('Filesystem Scan') {
steps {
sh 'trivy fs --format json --output trivy-fs-report.json .'
}
}
stage('Build Docker Image') {
steps {
sh 'docker build -t myapp:latest .'
}
}
stage('Docker Image Scan') {
steps {
sh 'trivy image --format json --output trivy-image-report.json myapp:latest'
}
}
}
}
🔹 GitHub Actions Example
name: CI with Trivy
on: [push]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
# Filesystem Scan
- name: Run Trivy FS Scan
run: trivy fs --format json --output trivy-fs-report.json .
# Build Docker Image
- name: Build Docker Image
run: docker build -t myapp:latest .
# Docker Image Scan
- name: Run Trivy Image Scan
run: trivy image --format json --output trivy-image-report.json myapp:latest
🔹 Azure DevOps Pipeline Example
trigger:
- main
pool:
vmImage: 'ubuntu-latest'
steps:
- script: echo "Checking out code..."
displayName: 'Checkout Code'
# Filesystem Scan
- script: trivy fs --format json --output trivy-fs-report.json .
displayName: 'Trivy Filesystem Scan'
# Build Docker image
- script: docker build -t myapp:latest .
displayName: 'Build Docker Image'
# Image Scan
- script: trivy image --format json --output trivy-image-report.json myapp:latest
displayName: 'Trivy Docker Image Scan'
📊 Step 5: Using the Reports
Both
trivy-fs-report.jsonandtrivy-image-report.jsoncontain full vulnerability details in JSON format.You can:
Upload them as artifacts in Jenkins/GitHub/Azure
Parse them into dashboards (Grafana, Elastic, etc.)
Feed them into security monitoring tools
