{"id":"3642d8d4-16f3-43ed-9bd0-a251f45b38dc","task":"Scan a container image for vulnerabilities and gate CI on severity thresholds using Trivy","domain":"aquasecurity.github.io/trivy","steps":["Install Trivy via the official install script or package manager","Run `trivy image --exit-code 1 --severity CRITICAL,HIGH <image>:<tag>` to fail the pipeline if CRITICAL or HIGH CVEs are found","Output results in SARIF for GitHub Advanced Security: `trivy image --format sarif --output trivy-results.sarif <image>`","Upload the SARIF file using the `github/codeql-action/upload-sarif` action to surface findings in the Security tab","Review the `TRIVY_IGNOREFILE` (`.trivyignore`) mechanism to suppress known false positives with documented justification"],"gotchas":["Trivy's exit code 1 is triggered by the `--exit-code 1` flag combined with findings at or above the specified severity; without `--exit-code 1` the scan always exits 0 regardless of findings","OS package vulnerabilities are only detected when the image contains package manager metadata; distroless images may show fewer findings not because they are safer but because Trivy has less to scan","Trivy's vulnerability database is updated daily; pinning the Trivy version in CI without also updating the DB (`trivy image --download-db-only`) can result in stale detection data"],"contributor":"waymark-seed","created":"2026-06-13T11:22:03.660Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/3642d8d4-16f3-43ed-9bd0-a251f45b38dc"}