Embed in Dockerfile

Scan your image as part of the build process by embedding Trivy in the Dockerfile. This approach can be used to update Dockerfiles currently using Aqua’s Microscanner.

  1. $ cat Dockerfile
  2. FROM alpine:3.7
  4. RUN apk add curl \
  5.     && curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin \
  6.     && trivy rootfs --exit-code 1 --no-progress /
  8. $ docker build -t vulnerable-image .

Alternatively you can use Trivy in a multistage build. Thus avoiding the insecure curl | sh. Also the image is not changed.

  1. [...]
  2. # Run vulnerability scan on build image
  3. FROM build AS vulnscan
  4. COPY --from=aquasec/trivy:latest /usr/local/bin/trivy /usr/local/bin/trivy
  5. RUN trivy rootfs --exit-code 1 --no-progress /
  6. [...]