L14. Image Scanning: Trivy, Grype and Admission Control
Video generating
Check back soon for the video lesson on Image Scanning: Trivy, Grype and Admission Control
Container images are the primary supply chain attack vector. Learn how to scan images for vulnerabilities in CI/CD pipelines and enforce scanning at admission time.
Why Scan Images?
Container images bundle application code, dependencies, and OS libraries. Any of these can contain known vulnerabilities. A single unpatched library in a base image can expose your entire cluster.
Image scanning should happen at two points:
- CI/CD pipeline: Catch vulnerabilities before images are pushed to the registry
- Admission control: Block unscanned or vulnerable images from being deployed
Trivy
Trivy is the most widely used open-source scanner. It detects vulnerabilities in OS packages, language dependencies, IaC misconfigurations, and secrets:
# Scan an image
trivy image nginx:1.25# Scan with severity filter and exit code for CI
trivy image --severity HIGH,CRITICAL --exit-code 1 myapp:latest
# Scan a filesystem (for IaC and secrets)
trivy fs --scanners vuln,secret,misconfig .
Trivy can output results in multiple formats (table, JSON, SARIF) for integration with CI/CD dashboards and GitHub Advanced Security.
Grype
Grype is an alternative scanner from Anchore. It focuses on vulnerability detection with fast database updates:
grype myapp:latest --fail-on criticalBoth Trivy and Grype use public vulnerability databases (NVD, GitHub Advisory, OS vendor databases). The key difference is Grype's tighter integration with the Anchore platform for enterprise policy enforcement.
CI/CD Integration
Add scanning to your build pipeline so vulnerabilities are caught before images reach the registry:
# GitHub Actions example
<ul class="list-disc pl-6 mb-4 space-y-2">
<li class="text-slate-300">name: Scan image</li>
</ul>
uses: aquasecurity/trivy-action@master
with:
image-ref: myapp:${{ github.sha }}
severity: HIGH,CRITICAL
exit-code: 1
format: sarif
output: trivy-results.sarif<ul class="list-disc pl-6 mb-4 space-y-2">
<li class="text-slate-300">name: Upload SARIF</li>
</ul>
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: trivy-results.sarif
Admission Control
Scanning in CI/CD is not enough. Someone can push an unscanned image directly to the registry or bypass the pipeline. Admission controllers enforce scanning at deploy time. Kyverno policy to require a scan annotation:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-image-scan
spec:
validationFailureAction: Enforce
rules:
<ul class="list-disc pl-6 mb-4 space-y-2">
<li class="text-slate-300">name: check-scan</li>
</ul>
match:
resources:
kinds: ["Pod"]
validate:
message: "Images must be scanned. Add scan annotation."
pattern:
metadata:
annotations:
security.scan/passed: "true"Registry Scanning
Enable automatic scanning in your container registry:
- Docker Hub: Automatic scanning on push
- AWS ECR: Enhanced scanning with Inspector
- Azure ACR: Defender for Containers
- GCP Artifact Registry: On-push scanning with Container Analysis
- ✓Image scanning must happen at two points: CI/CD pipeline (before push) and admission control (before deploy)
- ✓Trivy scans for OS vulnerabilities, language dependencies, IaC misconfigurations, and embedded secrets
- ✓Fail CI builds on HIGH and CRITICAL vulnerabilities: track MEDIUM as technical debt
- ✓Admission controllers (Kyverno, OPA Gatekeeper) enforce scanning at deploy time to catch pipeline bypasses
- ✓Enable automatic scanning in your container registry (ECR Inspector, ACR Defender, GCP Container Analysis)
1. Why is CI/CD scanning alone not sufficient for image security?
2. Which Trivy flag causes the scanner to return a non-zero exit code when vulnerabilities are found?
3. Which admission controller tool uses YAML-based policies to validate Kubernetes resources?