mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-15 12:15:16 +03:00
4.2 KiB
4.2 KiB
Workflow Reference: Container Scanning with Trivy in CI/CD
Container Security Scanning Pipeline
Source Code Push
│
▼
┌──────────────────┐
│ Build Docker │
│ Image │
└──────┬───────────┘
│
├──────────────────────┐
▼ ▼
┌──────────────┐ ┌──────────────┐
│ Trivy Image │ │ Trivy Config │
│ Vuln Scan │ │ Misconfig │
└──────┬───────┘ └──────┬───────┘
│ │
▼ ▼
┌──────────────┐ ┌──────────────┐
│ SARIF/JSON │ │ Table/JSON │
│ Output │ │ Output │
└──────┬───────┘ └──────┬───────┘
│ │
└──────────┬─────────┘
▼
┌──────────────────┐
│ Quality Gate │
│ Evaluation │
└──────┬───────────┘
│
┌─────────┴──────────┐
▼ ▼
PASS: Push to FAIL: Block
Registry + Tag + Alert Team
│
▼
┌──────────────┐
│ Generate │
│ SBOM + Sign │
└──────────────┘
Trivy Scan Types Reference
Image Scanning
# Full scan (OS + language packages)
trivy image --severity CRITICAL,HIGH --exit-code 1 myimage:tag
# OS packages only
trivy image --vuln-type os myimage:tag
# Language-specific packages only
trivy image --vuln-type library myimage:tag
# From Docker archive
trivy image --input image.tar
Filesystem Scanning
# Scan project directory for vulnerable dependencies
trivy fs --severity HIGH,CRITICAL /path/to/project
# Scan specific lockfile
trivy fs --severity HIGH,CRITICAL requirements.txt
Repository Scanning
# Scan remote git repository
trivy repo https://github.com/org/repo
# Scan specific branch
trivy repo --branch develop https://github.com/org/repo
Configuration Scanning
# Scan Dockerfile and Kubernetes manifests
trivy config .
# Scan Terraform files
trivy config --tf-vars terraform.tfvars ./terraform/
# Scan Helm charts
trivy config ./charts/myapp/
Output Format Options
| Format | Use Case | Flag |
|---|---|---|
| table | Human-readable terminal output | --format table |
| json | Programmatic processing and storage | --format json |
| sarif | GitHub Security tab upload | --format sarif |
| cyclonedx | SBOM generation (CycloneDX) | --format cyclonedx |
| spdx-json | SBOM generation (SPDX) | --format spdx-json |
| template | Custom report format | --format template --template @template.tpl |
| cosign-vuln | Cosign attestation format | --format cosign-vuln |
Severity Threshold Matrix
| Environment | Block On | Ignore Unfixed | Rationale |
|---|---|---|---|
| Development | CRITICAL | Yes | Fast feedback, focus on worst issues |
| Staging | CRITICAL, HIGH | Yes | Catch more issues before production |
| Production | CRITICAL, HIGH | No | Full visibility even for unfixed CVEs |
| Compliance | ALL | No | Complete audit trail required |
Database Management
Database Update Strategy
# Download DB only (for caching)
trivy image --download-db-only --cache-dir /shared/trivy-cache
# Skip DB update (use cached)
trivy image --skip-db-update --cache-dir /shared/trivy-cache myimage:tag
# Java DB for JAR scanning
trivy image --download-java-db-only --cache-dir /shared/trivy-cache
Cache Locations
- Default:
~/.cache/trivy/ - CI override:
TRIVY_CACHE_DIR=/tmp/trivy-cache - GitHub Actions: Use
actions/cachewith key based on date