Have you ever pushed code to production only to lie awake wondering, “Did I just deploy a vulnerability?” You’re not alone. But what if I told you that you can automate security scanning right within your GitHub workflows?
I am going to be creating a few upcoming blog posts on various tools that can be used to mitigate this. Today, enter Trivy, an open-source security scanner that integrates seamlessly with GitHub Actions to help detect vulnerabilities and misconfigurations.
The all-in-one open source security scanner
Use Trivy to find vulnerabilities (CVE) & misconfigurations (IaC) across code repositories, binary artifacts, container images, Kubernetes clusters, and more. All in one tool!
https://trivy.dev/latest
Why Use Trivy for Security Scanning?
Security vulnerabilities aren’t just theoretical risks – they’re real-world problems that can lead to breaches, data leaks, and compliance failures. Here’s why Trivy is a great choice for security scanning:
- Open Source: Free to use, no hidden costs
- Fast and Lightweight: Trivy quickly scans container images, file systems, and repositories for vulnerabilities.
- Comprehensive Scanning: It detects not just vulnerabilities but also misconfigurations and exposed secrets.
- Seamless GitHub Integration: With GitHub Actions, you can automate security scanning and upload results directly to the GitHub Security tab.
- Continuous Monitoring: By running Trivy on push and pull requests, you can catch issues early, before they reach production.
Setting Up Trivy in GitHub Actions
I am going to show two examples of using Trivy with GitHub Actions:
- Scanning Docker Images for Vulnerabilities
- Scanning Terraform Code for Misconfigurations & Secrets (Trivy can be used to scan files/folders)
Scanning Docker Images for Vulnerabilities
Security should never be an afterthought. Automating vulnerability scanning with Trivy and GitHub Actions ensures your code stays secure with minimal manual effort. Whether you’re scanning Docker images or Terraform configurations, Trivy provides a simple yet powerful way to integrate security into your CI/CD pipeline.
name: Trivy Docker Security Scan
on: [push, pull_request]
permissions:
actions: read
security-events: write
jobs:
docker_security_scan:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Build Docker image
run: |
docker build -t ttapp:latest .
- name: Run Trivy vulnerability scan
uses: aquasecurity/trivy-action@0.30.0
with:
image-ref: 'ttapp:latest'
format: 'sarif'
exit-code: 0
severity: 'CRITICAL,HIGH'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
What this does:
- Scans your Docker image for critical/high vulnerabilities.
- Uploads findings to GitHub’s Security tab (look for the “Security” alerts in your repo).
- Uses
exit-code: 0to let the pipeline continue even if issues are found
Scanning Terraform Code for Misconfigurations & Secrets (Trivy can be used to scan files/folders)
Infrastructure-as-Code (IaC) security is just as critical as application security. Trivy can scan Terraform files for misconfigurations, security issues, and even exposed secrets. Here’s how to automate Terraform scanning with GitHub Actions:
name: Trivy Terraform Security Scan
on: [push, pull_request]
permissions:
actions: read
security-events: write
jobs:
terraform_security_scan:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Scan Terraform
uses: aquasecurity/trivy-action@0.30.0
with:
scan-type: 'fs'
scan-ref: 'terraform/' # Path to your Terraform files
format: 'sarif'
scanners: 'vuln,secret,misconfig'
severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
exit-code: 0
output: 'trivy-terraform-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-terraform-results.sarif'
What this does:
- Scans your Terraform folder for all severity levels
- Uploads findings to GitHub’s Security tab (look for the “Security” alerts in your repo)
- Uses
exit-code: 0to let the pipeline continue even if issues are found
Understanding the results
Once the workflow runs, you can view scan results directly in GitHub under Security > Code scanning alerts.
This allows you to:
- Identify vulnerabilities before they make it to production
- See misconfigurations that could put your infrastructure at risk
- Detect hardcoded secrets before they become a security liability
- Prioritise and create issue items for vulnerabilities
“But Does This Actually Work?”
Let’s test it. Clone this sample app repo , and run the workflows above. You’ll see:
- A
CRITICALrisk in Terraform, specifying older TLS version - A few
CRITICAL&HIGHrisks in the docker image
Fix them, push, and watch the Security tab go green. Feels good, doesn’t it?
Wrapping up
Security should never be an afterthought. Automating vulnerability scanning with Trivy and GitHub Actions ensures your code stays secure. This happens with minimal manual effort. Whether you’re scanning Docker images or Terraform configurations, Trivy provides a simple yet powerful way to integrate security into your CI/CD pipeline.
Give it a try in your repositories today, and let me know how it works for you!
GitHub repository containing all example content above
