Scan Docker Image for Vulnerabilities using Trivy & Jenkins

Suneel Kumar KolaSuneel Kumar Kola
2 min read

🎯 Objective

  • Fork the Node.js app repo

  • Add a Dockerfile

  • Build a Docker image

  • Scan the image using Trivy

  • Automate using Jenkins on Amazon Linux 2

🧰 Tools Used

🚀 Step-by-Step Guide

1️⃣ Fork the GitHub Repo

Go to 👉 https://github.com/suneelprojects/nodejs-project-docker.git and click on Fork to copy it to your own GitHub account.

2️⃣ Add a Dockerfile to Your Forked Repo

Create a file named Dockerfile in the root of your project and paste the following:

# Use official Node.js LTS version
FROM node:18-alpine

# Set working directory
WORKDIR /app

# Copy package.json and package-lock.json
COPY package*.json ./

# Install dependencies
RUN npm install

# Copy the rest of the code
COPY . .

# Expose port
EXPOSE 3000

# Start the application
CMD ["npm", "start"]

✅ Then commit and push the Dockerfile to your forked repo.

3️⃣ Install Trivy on Amazon Linux 2 EC2

sudo rpm -ivh https://github.com/aquasecurity/trivy/releases/latest/download/trivy_0.49.1_Linux-64bit.rpm

Verify installation:

trivy --version

4️⃣ Create a Jenkins Pipeline Job

  • Open Jenkins → New Item → Pipeline → docker-trivy-security-scan

5️⃣ Use the following Jenkins Pipeline Script

Replace the repo URL with your forked URL!

pipeline {
    agent any

    stages {
        stage('Clone Code') {
            steps {
                git 'https://github.com/<your-username>/nodejs-project-docker.git'
            }
        }

        stage('Build Docker Image') {
            steps {
                sh 'docker build -t nodejs-secure-app .'
            }
        }

        stage('Scan Image with Trivy') {
            steps {
                sh 'trivy image --exit-code 0 --severity MEDIUM,HIGH,CRITICAL nodejs-secure-app || true'
            }
        }
    }
}

Outcome

  • Node.js Docker image is built and scanned using Trivy

  • Vulnerabilities are logged in Jenkins console output

  • You’ve integrated security scanning into your CI/CD pipeline

0
Subscribe to my newsletter

Read articles from Suneel Kumar Kola directly inside your inbox. Subscribe to the newsletter, and don't miss out.

JenkinstrivyDevopsDevops articlesDevOps Journey#Devopscommunity

Written by

Suneel Kumar Kola
Suneel Kumar Kola