Trivy with Docker: Secure Your Container Images
Shaik MustafaIn today's fast-paced DevOps environments, container security is more important than ever. While Docker enables teams to build, ship, and run applications faster, it also opens the door to potential vulnerabilities if not managed properly. This is where Trivy, a simple yet powerful vulnerability scanner, comes into play.
What is Trivy?
Trivy (short for Tri-vulnerability) is an open-source vulnerability scanner developed by Aqua Security. It’s designed to detect:
OS package vulnerabilities (like Alpine, Debian, CentOS)
Application dependencies vulnerabilities (like npm, pip, Go, etc.)
Configuration issues (Infrastructure as Code scanning)
Docker images, Kubernetes clusters, file systems, and repositories
Trivy is lightweight, fast, and easy to integrate into CI/CD pipelines—making it a must-have tool for DevOps engineers.
How Trivy Helps While Working with Docker:
When you're building Docker images, Every DevOps engineers focus on automating the things like getting the code from GitHub, scanning the code and Build the Docker Images and Pushing it to Registry. In this events we assured that the code doesn’t have any bugs or vulnerabilities. But what about your Docker image?
Your Code Don’t Have Bugs! What about your Dockerfile?
you often rely on various base images and third-party libraries. Even if your code is secure, you might be unknowingly introducing vulnerabilities through these dependencies(base images on Dockerfile).
Here’s how Trivy helps:
Scans Docker images before pushing them to production.
Detects CVEs (Common Vulnerabilities and Exposures) in OS packages and app libraries.
Supports policy enforcement in CI/CD workflows.
Saves time and cost by identifying issues early in the development cycle.
Trivy Commands Everyone Must Know:
- Scan a Docker Image
trivy image image-name
2. Scan a Local Dockerfile
trivy config .
3. Scan a File System
trivy fs /path/to/project
4. List All Available Trivy Commands
trivy --help
5. Scan with Severity Filtering
trivy image --severity CRITICAL,HIGH nginx:latest
6. Output to JSON or Table
trivy image --format json image-name
- Generate the Reports
trivy image --format table --output trivy-report.txt image-name
Understanding Trivy Scan Output:
For Example when i scan my own image using trivy image image-name, Here the o/p that i can get in my system
trivy image shaikmustafa/cycle
o/p:
shaikmustafa/cycle (debian 11.6)
================================
Total: 120 (UNKNOWN: 2, LOW: 13, MEDIUM: 58, HIGH: 43, CRITICAL: 4)
+------------------+------------------+----------+-------------------------+---------------+-----------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+------------------+------------------+----------+-------------------------+---------------+-----------------------------------------+
| apt | CVE-2011-3374 | LOW | 2.2.4 | | It was found that apt-key in apt, |
| | | | | | all versions, do not correctly... |
| | | | | | -->avd.aquasec.com/nvd/cve-2011-3374 |
+------------------+------------------+----------+-------------------------+---------------+-----------------------------------------+
| bash | CVE-2022-3715 | HIGH | 5.1-2+deb11u1 | | bash: a heap-buffer-overflow |
| | | | | | in valid_parameter_transform |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-3715 |
+------------------+------------------+----------+-------------------------+---------------+-----------------------------------------+
| bsdutils | CVE-2022-0563 | MEDIUM | 2.36.1-8+deb11u1 | | util-linux: partial disclosure |
| | | | | | of arbitrary files in chfn |
| | | | | | and chsh when compiled... |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-0563 |
+------------------+------------------+ +-------------------------+---------------+-----------------------------------------+
| coreutils | CVE-2016-2781 | | 8.32-4 | | coreutils: Non-privileged |
| | | | | | session can escape to the |
| | | | | | parent session in chroot |
| | | | | | -->avd.aquasec.com/nvd/cve-2016-2781 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2017-18018 | | | | coreutils: race condition |
| | | | | | vulnerability in chown and chgrp |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-18018 |
+------------------+------------------+----------+-------------------------+---------------+-----------------------------------------+
| curl | CVE-2022-42916 | HIGH | 7.74.0-1.3+deb11u7 | | curl: HSTS bypass via IDN |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-42916 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2022-43551 | | | | curl: HSTS bypass via IDN |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-43551 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2021-22922 | MEDIUM | | | curl: Content not matching hash |
| | | | | | in Metalink is not being discarded |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-22922 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-22923 | | | | curl: Metalink download |
| | | | | | sends credentials |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-22923 |
+------------------+------------------+----------+-------------------------+---------------+-----------------------------------------+
| e2fsprogs | CVE-2022-1304 | HIGH | 1.46.2-2 | | e2fsprogs: out-of-bounds |
| | | | | | read/write via crafted filesystem |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-1304 |
+------------------+------------------+----------+-------------------------+---------------+-----------------------------------------+
| libapt-pkg6.0 | CVE-2011-3374 | LOW | 2.2.4 | | It was found that apt-key in apt, |
| | | | | | all versions, do not correctly... |
| | | | | | -->avd.aquasec.com/nvd/cve-2011-3374 |
+------------------+------------------+----------+-------------------------+---------------+-----------------------------------------+
| libblkid1 | CVE-2022-0563 | MEDIUM | 2.36.1-8+deb11u1 | | util-linux: partial disclosure |
| | | | | | of arbitrary files in chfn |
| | | | | | and chsh when compiled... |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-0563 |
+------------------+------------------+----------+-------------------------+---------------+-----------------------------------------+
| libc-bin | CVE-2019-1010022 | CRITICAL | 2.31-13+deb11u5 | | glibc: stack guard protection bypass |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1010022 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2018-20796 | HIGH | | | glibc: uncontrolled recursion in |
| | | | | | function check_dst_limits_calc_pos_1 |
| | | | | | in posix/regexec.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20796 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-1010023 | | | | glibc: running ldd on malicious ELF |
| | | | | | leads to code execution because of... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1010023 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-9192 | | | | glibc: uncontrolled recursion in |
| | | | | | function check_dst_limits_calc_pos_1 |
| | | | | | in posix/regexec.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-9192 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2010-4756 | MEDIUM | | | glibc: glob implementation |
| | | | | | can cause excessive CPU and |
| | | | | | memory consumption due to... |
| | | | | | -->avd.aquasec.com/nvd/cve-2010-4756 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-1010024 | | | | glibc: ASLR bypass using |
| | | | | | cache of thread stack and heap |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1010024 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-1010025 | | | | glibc: information disclosure of heap |
| | | | | | addresses of pthread_created thread |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1010025 |
+------------------+------------------+----------+ +---------------+-----------------------------------------+
| libc6 | CVE-2019-1010022 | CRITICAL | | | glibc: stack guard protection bypass |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1010022 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2018-20796 | HIGH | | | glibc: uncontrolled recursion in |
| | | | | | function check_dst_limits_calc_pos_1 |
| | | | | | in posix/regexec.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20796 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-1010023 | | | | glibc: running ldd on malicious ELF |
| | | | | | leads to code execution because of... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1010023 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-9192 | | | | glibc: uncontrolled recursion in |
| | | | | | function check_dst_limits_calc_pos_1 |
| | | | | | in posix/regexec.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-9192 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2010-4756 | MEDIUM | | | glibc: glob implementation |
| | | | | | can cause excessive CPU and |
| | | | | | memory consumption due to... |
| | | | | | -->avd.aquasec.com/nvd/cve-2010-4756 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-1010024 | | | | glibc: ASLR bypass using |
| | | | | | cache of thread stack and heap |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1010024 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-1010025 | | | | glibc: information disclosure of heap |
| | | | | | addresses of pthread_created thread |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1010025 |
+------------------+------------------+----------+-------------------------+---------------+-----------------------------------------+
If you observe the above logs, under VULNERABILITY ID you can find some CVE-ID’s
You may find (LOW, MEDIUM, HIGH & CRITICAL) under SEVERITY and also
CVE-2019-1010025— What does this ID mean?
✅ Not random — It follows a pattern.
CVE = Common Vulnerabilities and Exposures
2019 = The year the vulnerability was discovered or published
1010025 = The unique ID for that specific CVE in that year
So, CVE-2019-1010025 means:
The 3711th vulnerability registered in the year 2021.
You can look it up on https://cve.mitre.org or https://nvd.nist.gov for full technical details.
2. SEVERITY — What Do LOW, MEDIUM, HIGH, CRITICAL Mean?
Trivy uses CVSS (Common Vulnerability Scoring System) to determine severity, based on:
Ease of exploitation
Potential impact (data leak, privilege escalation, etc.)
Need for user interaction
| Severity | Meaning |
| LOW | Harmless or very hard to exploit; doesn't pose a serious threat. |
| MEDIUM | Might be exploitable in certain conditions; moderate risk. |
| HIGH | Dangerous; likely exploitable and could compromise confidentiality, integrity, or availability. |
| CRITICAL | Severe; easily exploitable and has a large impact (e.g., remote code execution, full system takeover). |
🔐 Examples:
LOW: Debug log leak
🔧 What it means: Some harmless info like internal paths or config values gets printed in logs.
📌 Real-life example:
Imagine an app printing this in the log file:
Connected to DB with password: mysecret123
No hacker can directly attack, but if someone finds these logs, they get helpful hints for a future attack.
📉 Risk: Very low
🛠️ Fix: Filter logs, disable debug mode in production
🔸 MEDIUM: Denial of Service (DoS) via malformed input
💥 What it means: A user can crash or freeze your app by sending bad (but legal) data.
📌 Real-life example:
A user sends a very long string or a weirdly formatted file that freezes your service or makes it crash.
📉 Risk: Moderate — no data is stolen, but your app stops working.
🛠️ Fix: Validate input, limit request size, add timeouts.
🔺 HIGH: Arbitrary code execution in a local app
⚙️ What it means: Someone can run their own code inside your app or server — but they need some access.
📌 Real-life example:
A user uploads a .py file as an image, and the app accidentally runs it instead of storing it — the attacker’s code runs inside your app!
📉 Risk: High — system can be hijacked
🛠️ Fix: Sanitize uploads, use sandboxing, patch libraries
🔴 CRITICAL: Remote attacker gets shell access
🚨 What it means: A hacker can break in from the internet, without any login, and get full control (like a terminal/command line).
📌 Real-life example:
Your app runs sudo without checks. An attacker exploits a bug and gets access to your server — they can delete data, add malware, or take over everything.
📉 Risk: Extremely high
🛠️ Fix: Patch immediately, rotate secrets, monitor for compromise
Who Fixes the Issue — DevOps or Dev Team?
It depends on what kind of vulnerability it is:
| Type of Vulnerability | Responsibility | How it's Fixed |
Base image issue (e.g., in nginx, ubuntu, openssl) | DevOps | Update base image in Dockerfile or CI pipeline |
Dependency issue (e.g., in package.json, requirements.txt) | Development | Update the vulnerable library to a safe version |
Solution for Production Ready Images
Normal Docker file using nginx:
FROM nginx
COPY . /usr/share/nginx/html/
EXPOSE 80
Production ready Dockerfile using nginx:
FROM nginx:stable-alpine
COPY . /usr/share/nginx/html/
EXPOSE 80
Normal Docker file using httpd:
FROM httpd
COPY . /usr/local/apache2/htdocs
Production ready Dockerfile using httpd:
FROM httpd:alpine
COPY . /usr/local/apache2/htdocs
Normal Docker file using node:
FROM node:16
WORKDIR /app
COPY package*.json ./
RUN npm install
COPY . .
EXPOSE 3000
CMD ["node", "index.js"]
Production ready Dockerfile using node:
FROM node:19-alpine AS firststage
WORKDIR /usr/src/app
COPY package*.json ./
RUN npm install
COPY . .
FROM firststage AS final
RUN npm install --production
COPY . .
CMD ["node", "index.js"]
Build all the above Dockerfiles and Scan the images and do let me know in comment box what you observed in normal Dockerfile and Production Ready (zero issues) Dockerfiles.
Conclusion
Trivy is a critical tool in any DevOps toolkit, especially when working with Docker. It provides fast, accurate, and comprehensive vulnerability scanning that helps secure your software supply chain.
By integrating Trivy into your workflow, you ensure your containers are production-ready, secure, and compliant—without adding much overhead.
Secure your Docker containers today, so you don’t pay the price tomorrow.
If you found this blog helpful for your interviews or in learning Docker troubleshooting, please hit a heart for 10 times and drop a comment! Your support motivates me to create more content on DevOps and related topics. ❤️
If you'd like to connect or discuss more on this topic, feel free to reach out on LinkedIn.
Linkedin: linkedin.com/in/musta-shaik
Subscribe to my newsletter
Read articles from Shaik Mustafa directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by