Skip to main content
๐ŸŽ“ Claude Code Masterclass Learn AI-assisted development on Udemy โ€” plus the companion book on Leanpub & Amazon. Start Learning
Trivy Cheat Sheet 2026: Security Scanning Commands
DevOps

Trivy Cheat Sheet 2026: Security Scanning Commands

Trivy cheat sheet. Image scanning, filesystem scan, IaC scan, SBOM generation, and CI/CD integration. Copy-paste ready commands for daily operations.

LB
Luca Berton
ยท 1 min read

A quick reference for Trivy โ€” the all-in-one security scanner. Bookmark this page.

Container Image Scanning

# Scan a container image
trivy image nginx:latest
trivy image --severity HIGH,CRITICAL nginx:latest

# Scan local image (not pulled from registry)
trivy image --input myapp.tar

# Scan with specific format
trivy image -f json -o results.json nginx:latest
trivy image -f table nginx:latest
trivy image -f sarif -o results.sarif nginx:latest

# Ignore unfixed vulnerabilities
trivy image --ignore-unfixed nginx:latest

# Skip specific vulnerability
trivy image --skip-dirs /usr/local/lib nginx:latest

Filesystem and Repository Scanning

# Scan current directory
trivy fs .
trivy fs --severity HIGH,CRITICAL .

# Scan specific path
trivy fs /path/to/project

# Scan Git repository
trivy repo https://github.com/org/myapp
trivy repo --branch develop https://github.com/org/myapp

Kubernetes Scanning

# Scan running cluster
trivy k8s --report summary cluster

# Scan specific namespace
trivy k8s -n production --report all

# Scan specific resource
trivy k8s deployment/my-app

# Generate compliance report
trivy k8s --compliance k8s-nsa --report summary
trivy k8s --compliance k8s-cis --report all

Configuration and IaC Scanning

# Scan Terraform files
trivy config .
trivy config --tf-vars terraform.tfvars .

# Scan Kubernetes manifests
trivy config -f json k8s-manifests/

# Scan Dockerfiles
trivy config Dockerfile

# Scan Helm charts
trivy config mychart/

SBOM (Software Bill of Materials)

# Generate SBOM
trivy image --format spdx-json -o sbom.json nginx:latest
trivy image --format cyclonedx -o sbom.xml nginx:latest

# Scan from SBOM
trivy sbom sbom.json

CI/CD Integration

# Exit with error code on findings (for CI)
trivy image --exit-code 1 --severity CRITICAL nginx:latest

# Cache for faster scans
trivy image --cache-dir /tmp/trivy-cache nginx:latest

# Skip DB update (if pre-cached)
trivy image --skip-db-update nginx:latest

# Use in GitHub Actions
# - name: Trivy scan
#   uses: aquasecurity/trivy-action@master
#   with:
#     image-ref: myapp:latest
#     severity: HIGH,CRITICAL
#     exit-code: 1

Configuration File

# trivy.yaml
severity:
  - HIGH
  - CRITICAL
ignore-unfixed: true
format: table
exit-code: 1
skip-dirs:
  - node_modules
  - .git
  - vendor

Tips and Tricks

  • Use --ignore-unfixed in CI to avoid noise from unpatched upstream vulnerabilities
  • Use .trivyignore file to suppress known false positives
  • Use trivy server mode for centralized scanning in large teams
  • Combine image + config scanning for full supply chain coverage
  • Update the vulnerability DB regularly: trivy image --download-db-only

Related Articles

Fix OpenClaw ERR_STRING_TOO_LONG bloated session error
DevOps

Fix OpenClaw ERR_STRING_TOO_LONG Session Error

OpenClaw agent fails with 'Cannot create a string longer than 0x1fffffe8 characters'? It's a bloated session JSONL hitting Node's string limit. Here's the fix.

Google Search Console growth analysis with a Python script
DevOps

Turn Google Search Console Data Into a Growth Plan

Run one dependency-free Python script on your Search Console export to surface the SEO levers that move traffic: CTR bands and striking-distance pages.

Argo CD: GitOps Continuous Deployment for Kubernetes
DevOps

Argo CD: GitOps Continuous Deployment for Kubernetes

Production-ready Argo CD setup โ€” ApplicationSets, multi-cluster sync, RBAC, notifications, and progressive delivery patterns.

Buildah vs Kaniko: Container Image Building Without Docker
DevOps

Buildah vs Kaniko: Container Image Building Without Docker

Buildah vs Kaniko for rootless, daemonless container image builds in CI/CD: security, performance, Kubernetes integration, and pipeline examples.

All Articles

Free 30-min AI & Cloud consultation

Book Now