Trivy image scanning in pull request pipelines

9913 views

                  - name: Build image
  run: docker build -t app:${{ github.sha }} .

- name: Scan image
  uses: aquasecurity/trivy-action@0.24.0
  with:
    image-ref: app:${{ github.sha }}
    severity: HIGH,CRITICAL
    exit-code: '1'
    ignore-unfixed: true

I scan container images before they ever reach a registry promotion step. Trivy gives quick visibility into OS packages, language dependencies, and misconfiguration issues in IaC. The important part is failing only on risk that the team is prepared to fix, otherwise the scan turns into wallpaper.

Kai Nakamura

More from Kai Nakamura

Trivy image scanning in pull request pipelines

0 Comments

More from Kai Nakamura