trivy-action
trivy-action is a GitHub Action that integrates Aqua Security's Trivy vulnerability scanner into CI/CD pipelines. It scans Docker images, filesystems, repositories, and infrastructure-as-code for security vulnerabilities and can generate reports in multiple formats including SARIF for GitHub Code Scanning.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | aquasecurity/trivy-action |
| Owner | aquasecurity |
| Primary language | Shell |
| License | Apache-2.0 — OSI-approved |
| Stars | 1.4k |
| Forks | 354 |
| Open issues | 177 |
| Latest release | v0.36.0 (2026-04-22) |
| Last updated | 2026-07-02 |
| Source | https://github.com/aquasecurity/trivy-action |
What trivy-action is
A shell-based GitHub Action wrapper around Trivy that supports multiple scan types (image, fs, repo, rootfs, config, sbom) with configurable severity filtering, output formats, and built-in caching of vulnerability databases. Configuration precedence follows Viper (action flags > env vars > config file > defaults) and integrates natively with GitHub's code scanning dashboard.
Get the trivy-action source
Clone the repository and explore it locally.
git clone https://github.com/aquasecurity/trivy-action.gitcd trivy-action# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Choose scan type (image, fs, repo, etc.) and set `scan-ref` or `image-ref` explicitly; these are required and cannot be defined in the config file alone.
- Enable caching by default to avoid rate-limiting; use the built-in cache feature pointing to `$GITHUB_WORKSPACE/.cache/trivy` rather than manual setup.
- Understand Viper config precedence (action flags override env vars which override config file); this can be confusing if mixing input definitions across methods.
- Set `exit-code: 1` to fail builds on vulnerability detection, or `exit-code: 0` to report without blocking; default behavior should be validated against your policy.
- For private registries, provide registry credentials via environment variables or GitHub Secrets; the README examples show only public image scenarios.
When to avoid it — and what to weigh
- Self-Hosted or Non-GitHub Actions Environments — This is a GitHub Actions-specific wrapper; deploying on GitLab, Jenkins, or other CI systems requires wrapping or re-implementing against Trivy directly.
- Need for Real-Time Runtime Vulnerability Detection — trivy-action is a static pre-deployment scanner. It cannot detect zero-day exploits or runtime behavior anomalies in production containers; consider runtime security solutions for that use case.
- Requirement for Custom Vulnerability Database or Air-Gapped Deployments — The action downloads Trivy databases from public registries (ghcr.io). Organizations with strict air-gap requirements must pre-cache or host private mirrors; default behavior is not compatible.
- Minimal GitHub Action Logs or Output Control — The action produces verbose logs for debugging; if you need silent or highly constrained output, you may need to post-process or suppress logs via environment variables.
License & commercial use
Licensed under Apache License 2.0 (Apache-2.0), a permissive OSI-approved open-source license. Permits commercial use, modification, and distribution with attribution; includes patent protections and limitations of liability.
Apache-2.0 explicitly permits commercial use. No license restrictions on deploying this action in proprietary CI/CD pipelines or closed-source products. Verify that any vulnerability databases it downloads (from Aqua Security) comply with your organization's commercial or contract terms with Aqua.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Strong |
| Assessment confidence | High |
Trivy is widely adopted in the DevSecOps community and maintained by Aqua Security. Database downloads occur over HTTPS from ghcr.io. Action itself has no hardcoded credentials or secrets exposure. Ensure GitHub Actions runner permissions are scoped appropriately (e.g., restrict artifact uploads, code scanning write-access). Vulnerabilities found by Trivy depend on the accuracy of its databases; treat findings as one input to a defense-in-depth strategy, not a single source of truth. No security audit or penetration test results provided in data.
Alternatives to consider
Snyk GitHub Action
Offers similar image and dependency scanning with additional SCA (Software Composition Analysis) and integration with Snyk's commercial platform; higher cost but includes remediation guidance.
Grype (Anchore) GitHub Action
Alternative SBOM-driven vulnerability scanner with similar scope but less GitHub-native integration and smaller ecosystem; useful if you require tool portability beyond GitHub Actions.
Container-Scanning (native GitHub)
If scanning only Docker images and using GitHub's built-in code scanning, GitHub's native container-scanning may suffice; less flexible but reduces external dependency.
Build on trivy-action with DEV.co software developers
Integrate Trivy vulnerability scanning into your GitHub Actions workflow to detect and block security risks before deployment. Get started in minutes with native GitHub Code Scanning integration.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
trivy-action FAQ
Do I need a Trivy license to use trivy-action?
Can I scan private Docker registries with trivy-action?
What's the difference between setting config in the action vs. trivy.yaml file?
How do I prevent rate-limiting on vulnerability database downloads?
Software developers & web developers for hire
DEV.co helps companies turn open-source tools like trivy-action into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source security stack.
Secure Your Build Pipeline Now
Integrate Trivy vulnerability scanning into your GitHub Actions workflow to detect and block security risks before deployment. Get started in minutes with native GitHub Code Scanning integration.