Getting Started with Trivy: A Must-Have Tool for DevSecOps

If you’ve been in the tech world long enough, you’ve probably noticed how security keeps creeping up the priority list. It’s no longer just an afterthought—it’s a core part of building software. That’s where DevSecOps comes in, blending security into the fast-paced DevOps cycle. And if you’re looking for a tool to make that happen without breaking a sweat, let me introduce you to Trivy. It’s an open-source security scanner that’s simple to use, lightning-fast, and quickly becoming a must-have for teams who want to stay ahead of vulnerabilities. Ready to dive in? Let’s get started.

Why Trivy Matters for DevSecOps

First things first: why should you care about Trivy? Well, in today’s world of containerized apps, Kubernetes clusters, and rapid deployments, security can’t wait until the end of the line. The whole “shift-left” idea—catching problems early in development—is what DevSecOps is all about. Trivy fits right into that mindset. It’s lightweight, doesn’t demand a ton of setup, and can scan everything from Docker images to Git repos for vulnerabilities. Plus, its vulnerability database gets refreshed every six hours, so you’re always working with the latest threat intel.

I’ve used plenty of security tools over the years, and what I love about Trivy is how it doesn’t slow you down. It’s fast enough to run in your CI/CD pipeline without making developers groan about delays. For DevSecOps teams, that’s gold—security that keeps up with the pace of modern development.

Getting Started: Installing Trivy

Let’s get Trivy on your machine. Don’t worry—it’s painless. There are a few ways to install it, depending on your setup. If you’re on a Mac or Linux machine with Homebrew, just open your terminal and type:

brew install trivy

Using Docker? Even easier:

docker pull aquasec/trivy:latest

Or, if you prefer grabbing it straight from the source, head to Trivy’s GitHub releases page, download the binary for your system, and pop it into your PATH. To make sure it’s working, run:

trivy --version

You’ll see something like Version: 0.60.0 (or whatever the latest is as of March 25, 2025). Boom—you’re in business.

Your First Trivy Scan

Now for the fun part: scanning something. Let’s start with a Docker image, since that’s a common use case. Pull a simple Python image if you don’t have one handy:

docker pull python:3.9

Then, scan it with Trivy:

trivy image python:3.9

Give it a sec, and you’ll see a table spill out in your terminal. It might look something like this (shortened for brevity):

Python (python-pkg)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌───────────────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────┐
│        Library        │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                        Title                        │
├───────────────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────┤
│ setuptools (METADATA) │ CVE-2024-6345 │ HIGH     │ fixed  │ 65.5.1            │ 70.0.0        │ pypa/setuptools: Remote code execution via download │
│                       │               │          │        │                   │               │ functions in the package_index module in...         │
│                       │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-6345           │
└───────────────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────┘

Each row shows a library in the image, any known vulnerabilities (CVEs), and how bad they are. “CRITICAL” is obviously the stuff you’ll want to fix ASAP. Don’t panic if the list looks long—most images have some baggage. The trick is focusing on what matters, and Trivy makes that easy.

Scanning Files with Trivy’s Filesystem Mode

Trivy isn’t just for containers—it’s got a neat trick up its sleeve for scanning local files too. This filesystem mode (or fs for short) is perfect when you want to check a directory on your machine for vulnerabilities or even sneaky hard-coded secrets. I’ve found it super handy for auditing codebases or random project folders before they get packaged up.
Let’s try it out. Say you’ve got a project folder sitting at ~/my-project. Open your terminal, navigate there, and run:

trivy fs .

That little dot tells Trivy to scan the current directory. It’ll dig through your files, looking for vulnerable dependencies (like in a package.json or requirements.txt) and even sniffing out exposed secrets—like an API key you accidentally left in a config file. Here’s a sample of what you might see:

Report Summary

┌──────────────────────────────┬──────┬─────────────────┬─────────┐
│            Target            │ Type │ Vulnerabilities │ Secrets │
├──────────────────────────────┼──────┼─────────────────┼─────────┤
│ package-lock.json            │ npm  │       12        │    -    │
├──────────────────────────────┼──────┼─────────────────┼─────────┤
│ myapi/requirements.txt       │ pip  │       19        │    -    │
├──────────────────────────────┼──────┼─────────────────┼─────────┤
│ myapi/scanned_files/157.json │ text │        -        │    1    │
├──────────────────────────────┼──────┼─────────────────┼─────────┤
│ myapi/scanned_files/167.json │ text │        -        │    1    │
└──────────────────────────────┴──────┴─────────────────┴─────────┘

If it finds something, you’ll get a breakdown of the file, the issue, and how serious it is. The secret detection is a lifesaver—I once caught a forgotten SSH key in a script thanks to this. You can narrow it down with flags like --severity CRITICAL,HIGH if you’re only worried about the big risks, or add --security-checks vuln,secret to be explicit about what you’re hunting.

It’s a quick way to double-check your work, especially before pushing code to a repo. Give it a shot on your next project—it’s like having a security buddy watching over your shoulder.

Integrating Trivy into a DevSecOps Workflow

Here’s where Trivy really shines: plugging it into your DevSecOps pipeline. Imagine you’re pushing code to GitHub, and you want to scan your container image automatically. Let’s set that up with GitHub Actions. Create a file called .github/workflows/scan.yml in your repo and add this:

name: Scan with Trivy
on: [push, pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Build Docker image
        run: docker build -t my-app:latest .
      - name: Run Trivy scan
        run: |
          docker run --rm aquasec/trivy:latest image --exit-code 1 --severity HIGH,CRITICAL my-app:latest

This workflow builds your image and scans it with Trivy on every push or pull request. The --exit-code 1 flag makes the job fail if Trivy finds HIGH or CRITICAL issues, so your team knows right away. It’s a dead-simple way to shift security left—catching problems before they hit production.

Tips for Success with Trivy

To get the most out of Trivy, here are a few tricks I’ve picked up:

• Focus on the big stuff: Add --severity CRITICAL,HIGH to your scan command if you only want the worst offenders. Cuts through the noise.
• Speed it up: Trivy downloads its vulnerability database fresh each time, which is great for accuracy but can slow things down. Cache it locally with --cache-dir ~/.trivy/cache if you’re scanning a lot.
• Explore extras: Trivy isn’t just for containers. Try trivy fs . to scan your local filesystem or trivy repo https://github.com/your/repo to check a Git repo for secrets and vulnerabilities.

Once you’re comfortable, dig into features like generating a Software Bill of Materials (SBOM) with --format cyclonedx. It’s a game-changer for tracking what’s in your app.

Wrapping Up

Trivy’s one of those tools that feels too good to be free—simple enough for a quick start, powerful enough for pro-level security. For DevSecOps teams, it’s a no-brainer: it fits into your workflow, keeps your apps safe, and doesn’t bog you down with complexity. Whether you’re just dipping your toes into container security or hardening a sprawling Kubernetes setup, Trivy’s got your back.

So, give it a spin! Scan an image, hook it into your pipeline, and see how it feels. Got questions or cool Trivy stories? Drop them in the comments—I’d love to hear how it works for you.