Install Trivy via the official install script or package manager, then run trivy image --download-db-only to pre-fetch the vulnerability database before scanning
Scan an image and output a CycloneDX SBOM with embedded vulnerability data: trivy image --format cyclonedx --output image-report.json <IMAGE>:<TAG>
To produce a standalone SBOM without vulnerability data, use trivy image --scanners license,packages --format cyclonedx --output sbom-only.json <IMAGE>:<TAG> (omitting the vuln scanner)
Scan an existing SBOM file for vulnerabilities using trivy sbom ./sbom.cdx.json --format table to re-evaluate the SBOM against the latest vulnerability database without re-pulling the image
Set a severity threshold to fail CI builds: trivy image --exit-code 1 --severity HIGH,CRITICAL <IMAGE>:<TAG>
Known gotchas
Trivy's --format cyclonedx outputs a CycloneDX document but the schema version of the CycloneDX output may not always be the latest; check --help output for the supported CycloneDX version in the installed Trivy release
When scanning private registry images, Trivy reads Docker credential helpers and config from the standard Docker credential store; ensure the runner is authenticated before invoking trivy image on private images
Running trivy image in a CI environment without pre-fetching the database causes Trivy to download the full database on every run; cache the DB directory between runs using the --cache-dir flag to avoid repeated large downloads
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp