Install Trivy using the official install script or the `aquasec/trivy` GitHub Action; confirm with `trivy --version`.
Run `trivy config .` to scan all IaC files (Terraform, Kubernetes, Dockerfile, CloudFormation) in the current directory for misconfigurations.
Add `--format sarif --output trivy-results.sarif` to produce SARIF output for GitHub code scanning upload.
Run `trivy image <image-name>:<tag>` in the same pipeline step or a separate job to scan container images for OS and library CVEs alongside the IaC scan.
Use `--severity HIGH,CRITICAL` to filter noise and only fail the pipeline on high or critical findings; use `--exit-code 1` to enforce pipeline failure.
Merge the Trivy SARIF and Checkov SARIF files or upload them separately; GitHub code scanning deduplicates findings by rule ID and location.
Known gotchas
Trivy IaC scanning (formerly tfsec checks) and vulnerability scanning share one binary but use different scan types (`config` vs `image` vs `fs`); running `trivy fs .` scans both IaC and dependency manifests but not container image layers.
Trivy downloads vulnerability DB on first run; in air-gapped CI environments pre-pull the DB with `trivy image --download-db-only` and cache it between runs.
Trivy's Terraform scanning evaluates files statically without running `terraform init`; provider-specific checks that require schema resolution may produce false positives.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp