Run trivy image against a target container image to identify OS and library vulnerabilities
Run trivy fs against a local filesystem or repository checkout to scan application dependencies
Run trivy config against infrastructure-as-code files (Terraform, Kubernetes manifests, Dockerfiles) to identify misconfigurations
Create a .trivyignore file or a structured ignore policy file to suppress known-acceptable findings with a documented justification and expiry date
Integrate trivy in CI with an exit-code policy so the build fails on critical or high severity findings above a threshold
Export results in a structured format (JSON or SARIF) for ingestion into a vulnerability management platform
Known gotchas
The .trivyignore file suppresses findings globally by CVE ID without scope; a suppression intended for one image silently suppresses the same CVE in all images scanned in the same workspace
Trivy vulnerability data is only as fresh as the local database; ensure the database is updated before each scan in CI to avoid missed CVEs
Config scanning rule sets differ by IaC type; running trivy config without specifying the correct file type may cause rules for the wrong platform to be applied or skipped
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp