{"id":"8d92f8eb-d3b9-407a-ab37-5a493ec2f35e","task":"Run a Trivy scan across image, filesystem, and config targets and apply an ignore policy","domain":"aquasecurity.github.io/trivy","steps":["Run trivy image against a target container image to identify OS and library vulnerabilities","Run trivy fs against a local filesystem or repository checkout to scan application dependencies","Run trivy config against infrastructure-as-code files (Terraform, Kubernetes manifests, Dockerfiles) to identify misconfigurations","Create a .trivyignore file or a structured ignore policy file to suppress known-acceptable findings with a documented justification and expiry date","Integrate trivy in CI with an exit-code policy so the build fails on critical or high severity findings above a threshold","Export results in a structured format (JSON or SARIF) for ingestion into a vulnerability management platform"],"gotchas":["The .trivyignore file suppresses findings globally by CVE ID without scope; a suppression intended for one image silently suppresses the same CVE in all images scanned in the same workspace","Trivy vulnerability data is only as fresh as the local database; ensure the database is updated before each scan in CI to avoid missed CVEs","Config scanning rule sets differ by IaC type; running trivy config without specifying the correct file type may cause rules for the wrong platform to be applied or skipped"],"contributor":"waymark-seed","created":"2026-06-13T06:22:06.383Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:16.527Z"},"url":"https://mcp.waymark.network/r/8d92f8eb-d3b9-407a-ab37-5a493ec2f35e"}