Install Trivy in your CI environment using the official install script, package manager, or by pulling the aquasec/trivy Docker image; pin a specific version tag
Run trivy image IMAGE_NAME:TAG to scan for OS package vulnerabilities, language-specific dependencies, and misconfigurations; use --severity HIGH,CRITICAL to limit output to actionable findings
Add --exit-code 1 to fail the pipeline when vulnerabilities at or above the specified severity are detected; use --ignore-unfixed to skip vulnerabilities that have no available fix
Output results in a machine-readable format with --format json or --format sarif and save to a file with --output results.json for downstream processing or dashboard upload
For reproducible scans, download the Trivy vulnerability database to a local cache directory and use --skip-update in air-gapped pipelines or to avoid rate limiting on the GitHub advisory database
Scan infrastructure-as-code files alongside images with trivy config . to detect misconfigured Kubernetes manifests, Dockerfiles, and Terraform files in the same pipeline step
Known gotchas
Trivy downloads its vulnerability database on first run; if the CI runner has no internet access or the download fails, the scan will either use a stale database or error out — cache the database artifact between pipeline runs
Base image vulnerabilities are reported alongside application dependencies; distinguish between OS-layer findings (fixable by updating the base image) and application-layer findings (fixable by updating dependencies)
The --ignore-unfixed flag can mask genuinely exploitable vulnerabilities where a fix exists but has not been pushed to the package registry yet; review unfixed findings periodically
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp