Script Valley
Docker: Complete Course
CI/CD with Docker and Container RegistriesLesson 6.5

How to scan Docker images for vulnerabilities in CI

Trivy, docker scout, CVE scanning, SARIF format, GitHub Security tab, fail-on-severity, CI security gate, base image updates

Making Vulnerability Scanning a CI Gate

Docker image vulnerability scan CI gate

A container image is only as secure as its base image and dependencies. Scanning in CI catches CVEs before they reach production.

Scan with Trivy in GitHub Actions

      - name: Build image (no push)
        uses: docker/build-push-action@v5
        with:
          context: .
          load: true
          tags: my-app:scan

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: my-app:scan
          format: sarif
          output: trivy-results.sarif
          severity: CRITICAL,HIGH
          exit-code: 1        # Fail CI on CRITICAL or HIGH CVEs

      - name: Upload Trivy results to GitHub Security
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: trivy-results.sarif

Setting exit-code: 1 fails the pipeline when vulnerabilities of the specified severity are found โ€” a hard security gate. Results uploaded as SARIF appear in the repository's Security tab for review. The fix is almost always to update the base image or a vulnerable dependency. Rebuild weekly even without code changes to pick up patched base images.

Ready to practice?

MCQs ยท Coding challenges ยท Mini project

How to scan Docker images for vulnerabilities in CI โ€” CI/CD with Docker and Container Registries โ€” Docker: Complete Course โ€” Script Valley โ€” Script Valley