Secure Your Containers: Run Trivy Scans Directly on GitHub Actions

Ensure your images are secure by running Trivy scans directly on GitHub Actions. This guide will show you how to set up a workflow to scan for critical vulnerabilities, helping you keep your containers safe from serious security issues.

How to Set Up the Scan

Create a Workflow File
Add a new file to your GitHub repository at .github/workflows/trivy-scan.yml.

Use This Configuration
Here’s a streamlined YAML setup to install Trivy on the runner and scan Docker images for critical vulnerabilities:

name: Trivy Scan - nginx:latest

on: [workflow_dispatch]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Set up Docker
        uses: docker/setup-buildx-action@v1

      - name: Install Trivy
        run: |
          sudo apt-get update
          sudo apt-get install -y wget
          wget https://github.com/aquasecurity/trivy/releases/download/v0.33.0/trivy_0.33.0_Linux-64bit.deb
          sudo dpkg -i trivy_0.33.0_Linux-64bit.deb

      - name: Run Trivy scan
        run: |
          docker pull nginx:latest
          trivy image --severity CRITICAL nginx:latest

Additional Information
While this configuration focuses on scanning for critical vulnerabilities, Trivy also supports scanning for high and medium severity vulnerabilities. You can customize your scans based on the severity levels that best fit your security needs.

Conclusion
By using this GitHub Actions setup, you can automatically scan Docker images for critical vulnerabilities using Trivy. This approach helps maintain a high security standard for your containers, ensuring that major issues are addressed promptly.