That sentence once marked the end of a developer’s responsibility. But in the cloud-native era, it’s a ticking time bomb if said without checking the security posture of the code you’re about to ship.

Let’s walk through how a DevOps team tackled this very issue—and how Trivy became their secret weapon for embedding security early in the CI/CD lifecycle.

🧨 The Incident That Sparked Change

It was a regular Tuesday when the alert came in:

🚨 “High CVE found in production container api:v4.3.2. Patch required ASAP.”

The container was deployed just hours ago. But how did it pass testing?
The answer: Nobody had scanned the image for vulnerabilities before deploying it.

By morning, they made a resolution:
➡️ Security has to shift left. Vulnerabilities must be caught before production—not after.

🔎 Enter Trivy: The Lightweight Security Scanner

They chose Trivy by Aqua Security—an open-source vulnerability scanner purpose-built for the modern DevOps workflow.

🚀 Why Devs Love Trivy

• Fast: Scans in seconds

• Simple: One binary, zero config

• Comprehensive: OS packages, language libs, IaC, SBOMs

• Plug-and-play: Works with GitHub Actions, GitLab CI, Jenkins, etc.

🔁 Why Shift Left Security Matters

Fixing a CVE after deployment is like fixing a cracked bridge after cars have crossed it.

🧪 The Use Case: Automating Image Scans in GitHub Actions

You’re pushing a Docker image via GitHub Actions.
You want the pipeline to:

• ✅ Automatically scan for CVEs

• ⛔ Fail if critical/high issues are found

• 🔔 Notify the team

🧰 Useful Trivy CLI Commands

🔍 1. Scan a Docker Image for CVEs

trivy image --severity CRITICAL,HIGH myapp:latest

🗂️ 2. Scan a Local Filesystem or Source Code Directory

trivy fs --severity CRITICAL,HIGH .

🧱 3. Scan Infrastructure-as-Code (IaC) files

Terraform:

trivy config infrastructure/main.tf

Kubernetes YAML:

trivy config k8s/deployment.yaml

Docker Compose:

trivy config docker-compose.yml

🔁 4. Scan a Git Repository (Remote or Local)

trivy repo https://github.com/your-org/your-app

🧽 5. Ignore Known Issues Using .trivyignore

echo "CVE-2023-12345" >> .trivyignore

🧩 How to Integrate Trivy in CI(Github Actions Workflow)

.github/workflows/trivy-scan.yml:

name: Trivy Container Scan

on:
  push:
    branches: [main]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Build Docker image
        run: docker build -t myapp:latest .

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/[email protected]
        with:
          image-ref: 'myapp:latest'
          format: 'table'
          exit-code: '1'
          severity: 'CRITICAL,HIGH'

🔥 Failing Build Example

Trivy output:

Total: 3 (CRITICAL: 1, HIGH: 2)

CRITICAL: CVE-2023-12345 in openssl  

HIGH: CVE-2023-23456 in npm  

HIGH: CVE-2023-34567 in express

➡️ Build fails immediately, giving developers fast feedback.

🎁 Bonus: SBOM + Audit-Ready Insights

With SBOM scanning, you get machine-readable reports for audit, compliance, and supply chain integrity.

Example: CycloneDX or SPDX formats.

trivy image --format spdx --output sbom.spdx.json myapp:latest

💡 Pro Tips & Best Practices

✅ Cache vulnerability DBs:

export TRIVY_CACHE_DIR=/tmp/trivy-cache

❌ Fail on high/critical CVEs:

trivy image --exit-code 1 --severity CRITICAL,HIGH myapp:latest

🧽 Ignore known false positives:
Add CVE IDs to a .trivyignore file:

CVE-2023-12345

CVE-2023-23456

🔔 Integrate with alerting tools:
Use webhook integrations to send build failures to:

• Slack

• Microsoft Teams

• GitHub Security Alerts

📬 Stay Connected with The Vowels of X

At The Vowels of X, we share insights across three key verticals:

🛠️ DevOps — Tools, automation, CI/CD, observability
🚗 Automobile — Industry trends, mobility tech, and innovation
🏥 Healthcare — Digital health, AI in medicine, and tech infrastructure

If any of this interests you, stay in the loop:

📬 Newsletter: thevowelsofx.beehiiv.com
💼 LinkedIn: linkedin.com/company/thevowelsofx
✍️ Medium: medium.com/@thevowelsofx

🔁 Feel free to follow, share, and drop a comment if you found this useful!