DEV.co
Open-Source Security · aquasecurity

trivy-action

trivy-action is a GitHub Action that integrates Aqua Security's Trivy vulnerability scanner into CI/CD pipelines. It scans Docker images, filesystems, repositories, and infrastructure-as-code for security vulnerabilities and can generate reports in multiple formats including SARIF for GitHub Code Scanning.

Source: GitHub — github.com/aquasecurity/trivy-action
1.4k
GitHub stars
354
Forks
Shell
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryaquasecurity/trivy-action
Owneraquasecurity
Primary languageShell
LicenseApache-2.0 — OSI-approved
Stars1.4k
Forks354
Open issues177
Latest releasev0.36.0 (2026-04-22)
Last updated2026-07-02
Sourcehttps://github.com/aquasecurity/trivy-action

What trivy-action is

A shell-based GitHub Action wrapper around Trivy that supports multiple scan types (image, fs, repo, rootfs, config, sbom) with configurable severity filtering, output formats, and built-in caching of vulnerability databases. Configuration precedence follows Viper (action flags > env vars > config file > defaults) and integrates natively with GitHub's code scanning dashboard.

Quickstart

Get the trivy-action source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/aquasecurity/trivy-action.gitcd trivy-action# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Container Image Vulnerability Scanning in CI/CD

Automatically scan Docker images at build time before deployment. Configure severity thresholds and exit codes to block builds containing critical vulnerabilities, integrating seamlessly into GitHub-hosted workflows.

Multi-Stage Infrastructure Security Assessment

Scan infrastructure-as-code (IaC), source repositories, and filesystem artifacts in a single workflow. Use caching to optimize repeated scans and avoid rate-limiting from vulnerability database updates.

Compliance Reporting via SBOM and SARIF Export

Generate Software Bill of Materials (SBOM) and upload results to GitHub Code Scanning dashboard for policy enforcement. Support for sarif, json, and table formats enables integration with external SIEM/compliance platforms.

Implementation considerations

  • Choose scan type (image, fs, repo, etc.) and set `scan-ref` or `image-ref` explicitly; these are required and cannot be defined in the config file alone.
  • Enable caching by default to avoid rate-limiting; use the built-in cache feature pointing to `$GITHUB_WORKSPACE/.cache/trivy` rather than manual setup.
  • Understand Viper config precedence (action flags override env vars which override config file); this can be confusing if mixing input definitions across methods.
  • Set `exit-code: 1` to fail builds on vulnerability detection, or `exit-code: 0` to report without blocking; default behavior should be validated against your policy.
  • For private registries, provide registry credentials via environment variables or GitHub Secrets; the README examples show only public image scenarios.

When to avoid it — and what to weigh

  • Self-Hosted or Non-GitHub Actions Environments — This is a GitHub Actions-specific wrapper; deploying on GitLab, Jenkins, or other CI systems requires wrapping or re-implementing against Trivy directly.
  • Need for Real-Time Runtime Vulnerability Detection — trivy-action is a static pre-deployment scanner. It cannot detect zero-day exploits or runtime behavior anomalies in production containers; consider runtime security solutions for that use case.
  • Requirement for Custom Vulnerability Database or Air-Gapped Deployments — The action downloads Trivy databases from public registries (ghcr.io). Organizations with strict air-gap requirements must pre-cache or host private mirrors; default behavior is not compatible.
  • Minimal GitHub Action Logs or Output Control — The action produces verbose logs for debugging; if you need silent or highly constrained output, you may need to post-process or suppress logs via environment variables.

License & commercial use

Licensed under Apache License 2.0 (Apache-2.0), a permissive OSI-approved open-source license. Permits commercial use, modification, and distribution with attribution; includes patent protections and limitations of liability.

Apache-2.0 explicitly permits commercial use. No license restrictions on deploying this action in proprietary CI/CD pipelines or closed-source products. Verify that any vulnerability databases it downloads (from Aqua Security) comply with your organization's commercial or contract terms with Aqua.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityLow
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

Trivy is widely adopted in the DevSecOps community and maintained by Aqua Security. Database downloads occur over HTTPS from ghcr.io. Action itself has no hardcoded credentials or secrets exposure. Ensure GitHub Actions runner permissions are scoped appropriately (e.g., restrict artifact uploads, code scanning write-access). Vulnerabilities found by Trivy depend on the accuracy of its databases; treat findings as one input to a defense-in-depth strategy, not a single source of truth. No security audit or penetration test results provided in data.

Alternatives to consider

Snyk GitHub Action

Offers similar image and dependency scanning with additional SCA (Software Composition Analysis) and integration with Snyk's commercial platform; higher cost but includes remediation guidance.

Grype (Anchore) GitHub Action

Alternative SBOM-driven vulnerability scanner with similar scope but less GitHub-native integration and smaller ecosystem; useful if you require tool portability beyond GitHub Actions.

Container-Scanning (native GitHub)

If scanning only Docker images and using GitHub's built-in code scanning, GitHub's native container-scanning may suffice; less flexible but reduces external dependency.

Software development agency

Build on trivy-action with DEV.co software developers

Integrate Trivy vulnerability scanning into your GitHub Actions workflow to detect and block security risks before deployment. Get started in minutes with native GitHub Code Scanning integration.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

trivy-action FAQ

Do I need a Trivy license to use trivy-action?
No. Trivy itself is open-source (Apache-2.0) and free to use. The vulnerability databases it downloads are maintained by Aqua Security but available publicly. Aqua offers commercial Trivy Enterprise, but the action uses the free community version by default.
Can I scan private Docker registries with trivy-action?
Yes, but you must provide registry credentials via environment variables (e.g., `TRIVY_USERNAME`, `TRIVY_PASSWORD`) or GitHub Secrets. The README does not show private registry examples, so requires review of Trivy's documentation.
What's the difference between setting config in the action vs. trivy.yaml file?
Both methods work, but action flags override environment variables which override the config file. Use the config file for team-wide policies and action flags for job-specific overrides. `scan-type`, `scan-ref`, and `image-ref` must be defined in action inputs or env vars; they cannot be in the config file alone.
How do I prevent rate-limiting on vulnerability database downloads?
Enable caching (default behavior). Use the built-in `cache` input or manually set up a cron job to pre-fetch databases into the default branch cache, then skip DB updates in downstream jobs via `TRIVY_SKIP_DB_UPDATE` and `TRIVY_SKIP_JAVA_DB_UPDATE` environment variables.

Software developers & web developers for hire

DEV.co helps companies turn open-source tools like trivy-action into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source security stack.

Secure Your Build Pipeline Now

Integrate Trivy vulnerability scanning into your GitHub Actions workflow to detect and block security risks before deployment. Get started in minutes with native GitHub Code Scanning integration.